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Organizing  Committee’s  Message 

Past  research  on  mathematical  foundation  of  computer  science  has  focused  mostly  on  the 
study  of  the  mathematics  of  the  software  objects  and  very  little  has  been  done  to  develop 
software  objects  on  a  mathematical  basis.  Languages,  programs,  and  the  process  of  pro¬ 
gram  execution  have  been  identified  as  fundamental  objects  of  study  of  computer  science 
as  a  discipline.  Moreover,  algebraists  and  computer  scientists  have  begun  to  relate  the 
abstractions  in  computer  science  to  the  process  of  abstract  representation  in  universal  al¬ 
gebra.  A  strong  trend  of  applying  universal  algebras  as  the  mathematical  foundation  of 
computer  science  is  in  vogue.  In  pursuing  this  trend  we  need  to  observe  however  that  there 
are  differences  between  the  objects  and  methods  used  in  universal  algebra  and  computer 
science.  While  abstractions  used  in  universal  algebra  represent  behavior  of  ideal  (math¬ 
ematical)  objects,  abstractions  in  computer  science  represent  behavior  of  real  (physical) 
objects.  While  the  ideal  character  of  the  abstractions  in  universal  algebra  allows  systematic 
approaches  of  their  specifications  and  development  of  formal  notations  naturally  suited  to 
handling  them,  computer  science  develops  formal  notations  to  denote  real  objects  that  are 
rarely  formally  specified.  While  an  algebraic  language  accommodates  naturally  seman¬ 
tics,  syntax,  and  semantics*-* syntax  association  of  the  algebraic  abstractions,  the  syntax 
and  the  semantics  of  a  computer  language  are  specified  by  different  mechanisms  and  their 
association  into  a  language  is  artificial. 

The  similarities  of  the  abstractions  handled  in  universal  algebra  and  computer  science 
lead  to  the  development  of  new  mathematical  theories.  Our  conjecture  is  that  keeping  in 
view  also  the  differences  between  the  abstractions  used  in  universal  algebra  and  computer 
science,  new  mathematics  can  be  created  that  will  facilitate  the  construction  of  the  (soft¬ 
ware)  objects  arising  in  computer  science.  The  goal  of  this  conference  is  to  consolidate  this 
conjecture,  looking  at  algebraic  methodology  as  a  foundation  for  software  technology  and 
showing  that  universal  algebra  provides  a  practical  mathematical  alternative  to  ad  hoc 
approaches  used  in  software  development.  This  idea  was  well  received  by  the  international 
and  national  industrial  and  research  communities  reflecting  the  desire  for  the  development 
of  software  technology  on  a  mathematical  basis.  Therefore,  unlike  other  conferences  on 
mathematical  foundations  of  computer  science,  in  which  usually  the  mathematics  is  en¬ 
riched  with  new  theories  originated  in  computer  science,  the  submissions  to  this  conference 
indeed  show  developments  in  computer  science  that  originate  in  mathematics. 

From  the  89  submissions  we  had  we  could  deduce  a  large  spectrum  of  use  of  algebraic 
methods  as  mathematical  basis  of  the  new  software  technology.  The  major  directions 
extracted  from  these  submissions  formed  the  guidelines  for  the  organization  of  the  technical 
program  of  the  conference  and  are: 
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•  Formalizing  the  concept  of  a  process  and  modeling  the  computer  activity  as  an 
algebra  of  processes. 

•  New  alternatives  for  computer  language  specification  and  implementation  based  on 
universal  algebras  rather  than  grammars. 

•  Formal  models  of  the  parallel  and  distributed  systems. 

•  Type  algebra  allowing  the  extension  of  the  class  of  first  order  values. 

•  General  application  of  the  algebra  to  software  development  and  maintenance. 

There  are  5  invited  talks  from  the  following  distinguished  speakers:  R.  Constable  (Cor¬ 
nell  University,  USA),  W.  F.  Lawvere  (State  University  of  New  York  at  Buffalo,  USA), 
J.  Meseguer  (SRI  International,  USA),  M.  Nivat  (The  University  of  Paris  VII,  France), 
and  E.  Wagner  (IBM  Thomas  J.  Watson  Research  Center,  USA).  Our  special  thanks  to 
them,  for  taking  time  from  their  busy  schedules  and  accepting  our  invitation  to  give  a  talk. 
They  will  provide  special  insight  into  current  areas  of  research  reflecting  the  theme  of  the 
conference. 

There  are  27  contributed  papers  in  the  proceedings.  Of  the  89  papers  submitted  in 
response  to  the  call  for  papers,  27  were  selected  for  presentation  at  the  conference.  The 
selection  process  was  carried  out  by  the  program  committee  along  with  the  following  ad¬ 
ditional  reviewers:  Maria  Zamfir-Bleyderg  (Kansas  State  University),  Steve  Bruell  (Uni¬ 
versity  of  Iowa)  and  Mahesh  Dodani  (University  of  Iowa) .  Each  paper  was  reviewed  by  at 
least  two  reviewers  and  the  final  selection  was  based  on  the  composite  scores,  originality 
and  relevance  to  the  theme  of  the  conference.  We  wish  to  thank  all  the  reviewers  for  their 
time  and  effort.  In  addition,  we  wish  to  thank  all  those  who  submitted  papers. 

The  conference  would  not  have  been  possible  without  the  generous  support  of  the 
following  sponsors:  Office  of  Naval  Research,  XEROX  Corporation  -  Webster  Research 
Center,  and  Departments  of  Computer  Science  and  Mathematics  of  the  University  of  Iowa. 
We  would  like  to  thank  all  of  them  for  their  financial  assistance  and  interest.  Finally,  we 
would  like  to  thank  our  secretaries  Cyndi,  Beth,  Julie  and  Margaret,  for  their  assistance 
in  secretarial  matters. 

An  issue  of  the  international  journal  “Theoretical  Computer  Science”  will  be  dedicated 
to  this  conference.  All  participants  at  the  conference  are  invited  to  submit  papers  to  this 
issue.  The  submissions  should  be  sent,  no  later  than  August  1,  1989,  to. 

AMAST  Organizing  Committee 
Department  of  Computer  Science 
The  University  of  Iowa 
Iowa  City,  IA  52242,  USA 


Conference  Program 

Sunday,  May  21,  6:30-8:30pm  Reception 
Monday,  May  22,  8:00-8:45  Registration 

Monday  22,  8:45-9:00  Welcome,  Introduction:  Fleck,  A.,  Conference  Chair. 

Monday  22,  9:00-12:30:  Session  1  Process  Algebra 
(Chair:  Nelson,  G.,  The  University  of  Iowa,  Iowa,  USA) 

•  9:00-10:00  Invited  talk:  Minimal  Finite  Transition  Systems,  Nivat,  M.,  Universite 
Paris  VTI,  France. 

•  10:00-10:30  Baeten,  J.,  Algebra  of  Communicating  Processes. 

10:30-11:00  Coffee  break 

•  11:00-11:30  Crew,  R.  F.,  Parameterized  Process  Category. 

•  11:30-12:00  Pigozzi,  D.,  Equality-Test  and  If-Then-Else  Algebras:  Axiomatization 
and  Specification. 

•  12:00-12:30  Benson,  D.  B.,  Iyer,  R.R.,  Algebraic  Structure  of  Petri-Nets  and  Nonde¬ 
terminism. 

12:30-2:00  Lunch 

Monday  22,  2:00-6:00  Session  2  Algebraic  Methods  for  Language  Specification 
(Chair:  Hatcher,  W.S.,  University  Laval,  Quebec,  Canada) 

•  2:00-3:00  Invited  talk:  Display  of  Graphics  and  their  Applications,  as  Exemplified  by 
2-Categories  and  Hegelian  “ Taco ",  William  F.  Lawvere,  Buffalo  University,  USA. 

•  3:00-3:30:  Bidoit,  M.,  The  Stratified  Loose  Semantics:  An  Attempt  to  Provide  an 
Adequate  Algebraic  Model  of  Modularity. 

•  3:30-4:00  Jacobs,  D.,  Ehrig,  H.,  Fey,  W.,  Hansen  H.,  Lowe  M.,  Algebraic  Concepts 
for  the  Evolution  of  Module  Families 

4:00-4:30  Coffee  break 

•  4:30-5:00  Bradley  L.,  An  Algebraic  Approach  to  the  Early  Stages  of  Language  Design. 

•  5:00-5:30  Talcott,  C.  L.,  Algebraic  Methods  in  Programming  Language  Theory. 

•  5:30-6:00  Parpucea,  I.,  Dynamic  Extension  of  Programming  Language  Semantics. 

•  7:30  Social  hour 
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Tuesday  23,  8:30-12  Session  3  Parallel  and  Distributed  Processing 
(Chair:  Cornell,  A.,  Brigham  Young  University,  Utah,  USA) 

•  8:30-9:30  Invited  talk:  General  Logics,  Jose  Mesegu'er,  SRI,  USA. 

•  9:30-10:00  Logrippo,  L.,  LOTOS:  An  Algebraic  Specification  Language  for  Distributed 
Systems. 


10:00-10:30  Coffee  break 

•  10:30-11:00  Miller,  S.,  Kuhl,  J.,  Modeling  Distributed  Systems  as  Distributed  Data 
Types. 

•  11:00-11:30  Ionescu,  D.,  Wen,  L.,  A  Formal  Mathematical  Model  for  Detecting  the 
Subroutine  Dependencies:  A  Logic  Programming  Approach. 

•  11:30-12  Martin,  G.A.R.,  Norris,  M.T.,  Everett,  R.P.,  Shields,  M.W.,  The  CCS  In¬ 
terface  Equation  -  An  Example  of  Specification  Construction  Using  Rigorous  Tech¬ 
niques. 


12-1:30  Lunch 

Tuesday  23,  1:30-5:30  Session  4  Types,  Polymorphism  and  A-Calculus 
(Chair:  Main,  M.,  University  of  Colorado  at  Boulder,  Colorado,  USA) 

•  1:30-2:30  Invited  talk:  Implementing  Mathematics  as  an  Approach  for  Formal  Rea¬ 
soning,  R.  Constable,  Cornell  University,  USA. 

•  2:30-3:00  Hatcher,  W.S.,  Tonga,  M.,  Pairings  on  Lambda  Algebras. 

•  3:00-3:30  Zhang,  H.,  Constructor  Models  as  Abstract  Data  Types. 

3:30-4:00  Coffee  break 

•  4:00-4:30  Riecke,  J.G.,  Bloom,  B.,  LCF  Should  be  Lifted. 

•  4:30-5:00  Scollo,  G.,  Manca,  V.,  Salibra,  A.,  DELTA:  A  Deduction  System  Integrating 
Equational  Logic  and  Type  Assignment. 

•  5:00-5:30  Janicki,  R.,  Muldner,  T.,  On  Algebraic  Transformations  of  Sequential  Spec¬ 
ifications. 

•  6:30  Banquet  (Buses  depart) 
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Wednesday  24,  8:30-12  Session  5  Algebraic  Software  Development 
(Chair:  Schmidt,  D.,  Kansas  State  University,  Kansas,  USA) 

•  8:30-9:30  Invited  talk:  An  Algebraically  Specified  Language  for  Data  Directed  Design, 
Eric  Wagner,  IBM  Thomas  J.  Watson  Center,  USA. 

•  9:30-10:00  Rattray,  C.I.M.,  Modeling  the  Software  Process. 

10:00-10:30  Coffee  break 

•  10:30-11:00  Wells,  C.,  Path  Grammars. 

•  11:00-11:30  Pratt,  V.,  Enriched  Categories  and  Floyd-  Warshall  Connection. 

•  11:30-12  Dauchet,  M.,  Tison,  S.,  Finite  Automata,  Algorithms  and  Software  Design. 

12-1:30  Lunch 

Wednesday  24,  1:30-5:00  Session  6  Algebraic  Semantics  of  Programs 
(Chair:  Rattray,  C.I.M.,  University  of  Stirling,  Stirling,  Scotland) 

•  1:30-2:00  Schmidt,  D.,  Even,  S.,  Category-Sorted  Algebra-Based  Action  Semantics. 

•  2:00-2:30  Vidal,  D.,  The  De  Bruijn  Algebra 

•  2:30-3:00  Oguztuzun,  H.M.,  A  Game  Characterization  of  the  Observational  Equiva¬ 
lence  of  Processes. 

3:00-3:30  Coffee  break 

•  3:30-4:00  Wijland,  W.P.,  Van  Glabbek  R.J.,  Refinement  in  Branching  Time  Seman¬ 
tics. 

•  4:00-4:30  Kent,  R.E.,  Dialectical  Program  Semantics. 

•  4:30-5:00  Concluding  remarks 
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ON  MINIMAL  FINITE  TRANSITION  SYSTEMS1 


Maurice  Nivat,  L.I.T.P.,  University  Paris  VII 


Introduction 

The  theory  of  finite  automata,  which  we  shall  rather  call  finite 
transition  systems  is  certainly  the  oldest  chapter  of  theoretical 
computer  science.  Most  of  the  algebraic  results  come  from  the 
consideration  of  deterministic  automata  since  there  is  in  each  class  of 
automata  recognizing  the  same  language  a  "minimal"  one  which  has 
indeed  the  smallest  number  of  states  but  also  is  the  image  in  a 
morphism  of  all  the  automata  in  the  class.  Every  knows  how  to 
compute  this  minimal  automaton  which  is  unique  from  either  a  given 
automaton  or  a  rational  expression  representing  its  language. 
Moreover  this  automaton  is  closely  linked  with  the  syntactic  monoid 
ant  the  so  called  Nerode  equivalence  which  is  the  smallest  right- 
regular  equivalence  relation  which  saturates  the  language. 

The  situation  is  entirely  different  if  one  considers  non 
deterministic  finite  transition  systems  :  it  is  immediate  that  one  may 
have  two  equivalent  finite  transition  systems,  recognizing  the  same 
language,  which  hav'e  the  same  smallest  number  of  states  and  which 
cannot  be  mapped  by  moiphisms  onto  a  same  smaller  finite  transition 
system  recognizing  the  same  language.  The  study  of  finite  transition 
systems  has  been  greatly  exhauced  in  recent  years  by  the  construction 
of  various  models  of  parallel  or  distributed  systems.  Among  these 
models  the  calculus  CCS  of  Robin  Milner  has  been  extremely 


■'"Part  of  an  unfinished  paper 


influential.  In  this  paper  we  borrow  many  ideas  from  R.  Milner’s 
work  especially  the  notion  of  observational  equivalence,  and  its 
reformulation  by  Andre  Arnold  and  Anne  Dicky  using  morphisms 
which  we  call  MR -morphisms  in  the  sequel.  It  is  a  restricted  notion 
of  equivalence  based  on  the  idea  that  two  systems  are  equivalent  if 
each  one  simulates  the  other  one.  The  simulation  of  Si  by  S2  means 
that  for  every  possible  behaviour  of  Si  the  exists  a  simulating 
behaviour  of  S2  with  the  property  that  at  each  instant  of  time  S2 
will  be  in  a  state  in  which  it  can  perform  all  the  actions  which  Si 
may  perform  and  only  those. 

We  introduce  a  more  general  notion  of  equivalence  using  the 
family  of  functional  morphisms  :  a  functional  morphism  of  Si  onto 
S2  has  the  property  that  every  behaviour  (or  computation)  of  S2  is 
the  image  of  a  behaviour  of  Si  .We  thus  characterize  the 
equivalence  Si  S2  ^  56/ (Si)  =  56^(S2)  where  56/ (S)  is  the 

global  language  of  a  system  ie  the  set  of  traces  of  all  the 
computations  from  any  state  to  any  state.  The  characterization  is 
extremely  similar  to  the  characterization  of  MR  morphisms. 

In  a  last  chapter  we  consider  deterministic  systems  and 
surprisingly  we  discover  that  under  various  assumptions  (right 
separatedness,  strong  connectivity)  the  functional  morphisms  happen 
to  be  MR  morphisms. 
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I.  Morphisms  and  quotients  of  Finite  Transition  Systems 


We  shall  use  the  following  definitions  and  notations. 

If  S  =  <Q,T>  is  a  FTS  and  R  is  an  equivalence  relation  on  Q 
we  define  the  quotient  of  S  by  R  as  the  FTS  S/R  =  <Q/R,  T/R> 
where 

Q/R  is  the  set  of  equivalence  classes  modulo  R. 

(We  denote  [q]R  or  simply  [q]  the  equivalence  class  of  q). 

T/R  is  the  set  of  transitions 

T/R  =  {([q]  A  [q*])  I  3  qi  e  [q]  3  q'ie  [qi  :  (qi  A  q'i)  e  T. 

A  quotient  of  S  is  also  the  image  of  S  by  a  morphism  :  a 
morphism  h  of  S  is  defined  by  a  mapping  h  of  Q  onto  a  finite 
set  h(Q),  the  image  h(S)  being  the  FTS 

h(S)  =  <h(Q),  h(T)>  where 

her)  =  {(h(q)  4  h(q’))  I  (q  4  q’)  £  T} 

Clearly  if  R  is  an  equivalence  relation,  the  canonical  mapping 
hR  of  S  onto  Q/R  is  a  morphism  of  S  onto  S/R  and  we  can 
write  hR(S)  =  S/R. 

Conversely  a  mapping  h  of  Q  onto  h(Q)  defines  the 
canonical  equivalence  relation  Rh  such  that 

q  ~  Rh  q'<=>  h(q)  =  h(q') 


it 


and  the  morphic  image  h(S)  is  isomorphic  to  the  quotient  S/Rh. 


A  computation  of  the  transition  system  S  =  <Q,T>  is 
denoted  qo  ^  qi  ^  q2  qn  assuring  that  for  all  i  e  [n]  qi-i  -4 
qi  is  a  transition  of  T. 

We  denote  Comp(S,  q,q')  the  set  of  all  computations 
qo%qi%  ^  qn  such  that  qo  =  q  and  q'  =  qn. 

The  sets  Comp(S,  q,  Q)  and  Comp(S,Q,q')  are  defined  as 

Comp(S,  q,  Q)  =  u  {Comp(S,  q,  q')  I  q’  e  Q} 

Comp(S,  Q,  q')  =  u  {Comp(S,  q,  q')  I  q  e  Q} 

The  trace  of  the  computation  c  =  (qo  -4  qi  ..  qn)  is  Me) 
=  aia2  ...an  which  is  a  word  in  A+- 

And  we  define  the  following  sets  of  traces 

L(S,  q,  q’)  =  MComp(S,  q,  q'))  if  q  *  q' 

=  {£}  u  X(Comp(S,  q,  q’))  if  q  =q’ 

£ 

(we  assume  that  there  is  always  an  empty  computation  q  — »  q 
from  any  state  q  to  itself) 

L(S,  q,  Q)  =  u  {L(S,  q,  q’)  I  q'  e  Q} 

L(S,  Q,  q)  =  u  {L(S,  q,  q’)  I  q  e  Q} 

And  eventually  we  denote  &(S)  the  global  language  of  S 


defined  by  2L(S)  =  u  {L(S,  q,  q')  I  q,  q'  e  Q}. 


We  note  that  ^(S)  is  factorial  ie  satisfies 

-  for  all  fi,  f2,  f3  e  A+  fif2f3  s  &(S)  =*  f2€  3^(S). 

The  following  properties  are  immediate 

Let  h  be  a  morphism  of  S  onto  h(S)  and  c  =  qo  — ^ 
qi^4  41  qn  be  a  computation  of  S  then  h(c)  =  h(ao) 
h(ai)  — > ...  -4  h(qn)  is  a  computation  of  h(S). 

Thus  we  have 

Property  For  every  morphism  h  of  a  transition  system  S  = 
<Q,T>  one  has  h  ( Comp  (S,  q,  q' ))  Comp  {h  ( S  ),  h(q),  h 

(ft )) 

L{S,q,q')<LL{h(S),h{q),h{q'))  and 

It  is  not  generally  true  that  these  inclusions  are  equalities  and  the 
morphismes  for  which  they  are  indeed  equalities  will  play  a  major 
role  in  the  sequel. 

Definition  The  morphism  h  of  S  onto  h  (S  )  is  functional  iff 
every  computation  in  h  (S)  is  the  image  under  h  of  a  computation 
in  S. 

Equivalence  of  FTS 

Several  notions  of  equivalences  will  be  considered  in  the  present 
paper. 


13 


Three  of  them  will  be  attached  to  families  of  morphisms  which 
have  the  Church-Rosser  property. 

The  family  H  of  morphisms  is  a  Church-Rosser  family  (or  is 
CR)  iff 

-  the  identity  belongs  to  H 

-  H  is  closed  under  composition 

-  if  S  is  a  FTS  and  hi,  h2  are  the  H-morphism  of  S  onto 
hi(S)  =  Si  and  h2(S)  =  S2  them  there  exist  two  H-morphisms  h'i 
and  h’2  such  that  h'i(Si)  =  h'2(S2). 

This  last  property  can  be  visualized  by  the  diamond  diagram 


Property  1.2  If  H  is  a  Church-Rosser  family  of  morphisms  then 
the  relation  =h  defined  by 

Si  =H  S2  <=>  3  hi,  h2  e  H  hi(Si)  =  h2(S2) 

is  an  equivalence  relation  between  transition  systems  which  we  call 
the  lower  H -equivalence. 

Proof  It  is  an  immediate  consequence  of  the  CR  property.  If  Si  =h 
S2  and  S2  =H  S3  we  have  the  following  diagram 


which  we  can  complete 


We  get 


6 

and  this  H  is  closed  by  composition  S6  is  the  image  of  Si  and  S3 
by  the  two  H-morphisms  hi  0  h6  and  I13  0 114  (we  say  also  that  S6 
is  a  common  H-quotient  of  Si  and  S3). 

Property  1.3  The  family  Mor  of  all  morphisms  is  CR 

Proof  We  consider  the  two  morphisms  hi  and  h2  of  S  onto 
hi(S)  =  Si  and  h2(S)  =  S2 . 

We  denote  Ri  and  R2  the  two  equivalence  relations  on  Q 
corresponding  to  hi  and  h2  and  we  call  R  the  smallest  equivalence 
relation  on  Q  containing  Ri  and  R2. 

We  recall  that  R  is  the  transitive  closure  of  Riu  R2  which 
means  that 
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q  R  q’  <=>  3  qo,—,qh  such  that 

qo  =  q,  q'  =  qh  and  for  all  i  e  [h]  qi-i  Ri  qi  or  qi-i  R2  qi- 

The  morphism  h  corresponding  to  R  maps  S  onto  S’  and  it 
is  clear  that  h  can  be  factorized  in  hi  o  h'i  and  I12  o  h'2  since  the 
equivalence  classes  modulo  R  are  union  of  equivalence  classes 
modulo  Ri  (resp.  R2).  D 

Unfortunately  the  lower  equivalence  =Mor  is  not  very 
interesting,  since  we  have  the  following 

Property  1.4  Let  A'  be  a  subset  of  A  and  denote  Sa'  the  FTS 
with  only  one  state  qo  ttnd  the  set  of  transitions 

{qo~*  qo  I  a  e  A’} 

Then  the  mapping  h  of  S  -  <Q,T  >  defined  by  h  (q)  =  qo 
for  all  q  e  Q  is  a  morphism  of  S  onto  Sa'  iff  A'  =  X(T  )  = 
{as  A  I  3  q,  q'  e  Q  (q  A  q‘ )  e  T  } . 

Proof  obvious 

And  the  property  1.3  implies  immediately  that 
Si  =Mor  S2  A,(Ti)  =  X  (T2). 

It  is  clear  since  one  can  map  Si  onto  Saj  if  Ai  =  X,(Ti)  and 
S2  onto  SA2  if  A-2  =  X,(T2)  and  clearly  Saj  =Mor  SA2  iff  ^1  =  ^2 . 

We  now  introduce  a  more  interesting  family  of  morphisms 
denoted  MR  :  a  morphism  in  MR  is  called  a  right  Milner 
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morphism,  since  the  equivalence  associated  with  MR  has  been  first 
considered  by  R.  Milner  and  we  shall  define  later  a  family  of  left 
Milner  morphisms. 

Definition  The  morphism  h  of  S  is  a  right  Milner  morphism 
(or  an  MR  morphism)  iff  it  satisfies 

V  q,  q',  qi  e  Q  ,  V  a  e  A 

(q  A  qi)  e  T  and  h(q')  =  h(q)  imply  3  q’l  :  (q’  A  q’i)  e  T 
and  h(q'i)  =  h(qi) 


Property  1.5  The  family  MR  of  right  Milner  morphism  is  a 
Church  Rosser  family. 

Proof  It  is  immediate  from  the  proof  of  property  1.2.  We  define  R 
as  the  transitive  closure  of  Ri  and  R2  and  we  assume  that  q  R  q'  ie 
there  exist  qo, ...,  qh  such  that  qo  =  q,  q'  =  qk  and  for  all  i  e 
[h]  qi-i  (Ri  u  R2)  qi.  Then  we  assume  the  existence  of  a  transition 
qo  A  qo  :  the  morphisms  hi  and  I12  being  RM  we  know  that  there 
exists  qi  such  that  qi  A  qi  and  qi  Ri  qo  or  qi  R2  qo 
according  to  whether  qoRiqi  or  qo  R2  qi- 

—  a 

By  an  easy  induction  on  k  we  can  find  qh  such  that  qk  — > 
qk  and  qk  R  qo,  thus  proving  that  hR  is  RM.  It  is  easy  then  to 
prove  there  exist  two  RM  morphisms  h’i  and  h'2  such  that  hR  =  hi  0 
h'i  =  h2  0  h'2.D 

We  have  to  remark 

Property  1.6  Every  MR  morphisms  is  a  functional  morphism. 
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Proof  This  is  an  immediate  consequence  of  the  definition.  Every 

a 

computation  of  length  1,  ie  every  computation  of  the  form  h(q)  -> 
h(q’)  in  h(S)  is  the  image  under  h  of  some  computation  qi  ->  q'l 
in  S  by  the  very  definition  of  a  morphism.  Assume  we  have  proved 
that  every  computation  of  length  n  in  S  and  consider  a 
computation  of  length  n+1  in  h(S) 

qo  -V  qi  ...  -4  qn  qn+1 

By  induction  there  exists  a  computation  in  S 

qo  -4  qi  — i  ...— §  q^  such  that  for  all  i  €  {0,...»n} 
h(qi)  =  qi.  then  since  h  is  MR  and  we  know  that  there  exist  a 
transition  q  qn+1  with  h(qn)  =  qn  and  h(qn+i)  =  qn+1  from 
the  fact  that  h(qn)  =  h(qn)  we  can  infer  the  existence  a  a  transition 
qn^qn+i  for  some  qn+i  satisfying  h(qn+i)=  qn+1- Thus  qo 
qi  %  _  ^  qn  “SJ1  qn+1  is  a  computation  in  S  whose  image  by  h  is 

the  computation  qo  qi  ...  Qn+1  •  0 
Partition  corresponding  to  right  Milner  morphisms 

For  any  given  morphism  h  of  S  one  has  a  partition  of  the  set 
of  states  Q  which  is  the  partition  in  equivalence  classes  modulo  h. 
And  conversely  if  Q  =  Qiu...u  Qh  is  a  partition  of  Q.  It  defines  a 
morphism  of  S  :  one  maps  all  the  states  in  each  component  Qi 
onto  a  single  state  i  e  [h]. 

In  this  paragraph  we  characterize  the  MR-partitions 
corresponding  to  MR  morphism. 
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Restrictions  of  a  transition  system 


If  Q'  is  a  subset  of  Q  we  define  the  restriction  of  S  =  <Q,T> 
to  Q'  as  the  system  S  I  Q'  given  by 

-  its  set  of  states  Q' 

-  the  set  of  transitions  T  I  Q'  =  {t  e  T  I  a(t)  e  Q'  and 

P  (t)  e  Q'} 

The  subset  Q'  of  Q  is  said  to  be  monoidal  iff 
£(S  I  Q’)  =  X(T  I  Q’)* 

The  set  X(T  I  Q’)*  is  the  subset  of  the  alphabet  A  formed  by 
all  the  letters  which  label  a  transition  of  T  I  Q'  or  equivalently  all 
the  letters  which  label  a  transition  in  T  whose  origin  and  extremity 
belong  to  Q\  We  allow  X(T  I  Q’)  to  be  empty  :  then  &  (S  I  Q)  = 

{e}.  The  first  remark  is 

Property  1.7  Each  component  of  an  MR  partition  of  Q  is 
monoidal. 

Proof  Let  Q  =  Qi  u  ...  u  Qk  be  the  MR  partition  corresponding 
to  the  MR-morphism  h  which  maps  for  all  i  e  [k]  all  the  elements 
of  Qi  onto  the  state  i  of  h(Q)  =  [h]. 

Clearly  the  set  of  transitions  of  h(S)  contains  all  the 
transitions  i  A  i  for  all  i  e  [h]  and  a  6  ^(T  I  Qi). 

In  fact  h(T)  I  {i}  =  {i  A  i  I  a  e  X,(T  I  Qi). 

This  proves  that  2^(S  I  Qi)  c.  ^.(T  I  Qi)*  =  ^(h(S)  I  {i}). 


The  reverse  inclusion  comes  from  the  fact  that  the  MR 
morphism  h  is  also  functional  :  every  computation  of  h(S)  I  {i}  is 
the  image  of  a  computation  of  S  I  Qi  whence 

£(h(S)l  {i})£.£(SIQD.  □ 

In  fact  we  can  prove  a  stronger  property  :  in  the  same  situation 
as  above  one  has 

L(S  I  Qi ,  qi ,  Qi)  =  UT  I  Qi)* 

For  every  computation  c’  in  h(S)  I  {i}  and  every  state  qi  in 
Qi  one  can  find  a  computation  c  in  S  I  Qi  such  that  h(c)  =  c'  and 
a(c)  =  qi,  this  is  just  a  new  application  of  the  MR  condition.  □ 

We  can  call  strongly  right  monoi'dal  a  subset  of  Q  such  that 
for  all  qi  e  Qi  L(S  I  Qi,  qi,  Qi)  =  X(T  I  Qi)*  and  then  state  the 

Theorem  1.1 

The  partition  Qi  =Qi  u  Qi  u  ...  u  Qk  is  an  MR  partition  iff 
-for  all  ie  [h  ]  Qi  is  strongly  right  monoi'dal 
-for  all  i,j  e  [h]  if  there  exists  a  transition  t  such  that 
a(t )  e  Qi,  P(/  )  e  Q,  and  X(t)  =  a  then  for  all  qi  e  Qi  there 
exists  a  transition  t'  such  that  a (t'  )  =  qi ,  P(?' )  g  Qj  and  \{t )  =  a. 

Proof  The  only  if  part  follows  immediately  from  property  1.7  and 
the  MR  condition. 

Conversely  the  morphism  corresponding  to  the  partition  is  MR. 
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A  transition  q  A  q*  in  T  may  be  either  a  transition  of  T  I  Qi  for 
some  i  or  a  transition  from  Qi  to  Qj  where  i  ^  j.  In  the  first  case 
q,  q'  e  Qi  and  state  q"  is  equivalent  to  q  modulo  h  iff  q"  e  Qi : 
we  certainly  have  then  for  all  such  q"  €  Qi  a  transition  labeled  by  a, 
with  q"  as  origin  and  terminating  in  Qi  for  otherwise 

L(S  I  Qi,  q",  Qi)  would  be  different  from  X(T  I  Qi)*. 

In  the  second  case  we  have  q,  q"  e  Qi  and  q’  e  Qj,  where  j  * 
i  and  the  condition  of  the  theorem  imply  the  existence  of  a  transition 
labeled  by  a  with  q"  as  origin  and  terminating  in  Qj.  □ 

This  theorem  gives  us  a  procedure  to  find  all  the  MR  quotients 
of  a  given  TS.  We  look  for  all  the  strongly  right  monoidal  subsets  of 
Q  :  clearly  every  subset  reduced  to  one  state  is  strongly  right 
monoidal  and  we  can  form  partitions.  For  each  of  them  we  check  the 
MR  condition. 

Exemple 


In  order  to  compute  all  the  MR  quotients  of  Si  we  need  look  at 
all  the  MR  partition 

-  certainly  the  trivial  one  {1,  2,  3,  4,  5}  =  {1}  u  {2}  u  {3}  u 
{4}  u  {5}  is  MR  (this  is  a  general  phenomen) 


21 


-  we  can  find  only  2  strongly  right  monoidal  subsets  of  Q 
{2,3}  is  such  that  L(S  I  {2,3},  2,  {2,3})  =  L(S  I  {2,3},  3,  {2,3}  = 
(a  u  b)* 

{4,5}  is  such  that  L(S  I  {4,5},  4,  {4,5})  =  L(S  I  {4,5},  5,  {4,5})  =  c* 

And  we  check  that  {1}  u  {2,3}  u  {4,5}  is  an  MR  partition  : 
we  just  have  to  check  that  there  exists  a  transition  from  3  to  {4,5} 
labeled  by  c  since  there  exists  a  transition  from  2  to  {4,5}  labeled 
by  c. 

Then  we  can  form  the  MR  quotient  S2 


There  are  no  more  MR  partitions. 

A  slight  alteration  of  Si  gives  us  a  MR  minimal  transition 
system 


Z2. 


for  now  {4,5}  is  not  strongly  right  monoidal. 


Thus  the  only  partition  which  could  be  MR  is 
{1}  u  {2,3}  u  {4}  u  {5} 

but  it  is  not  since  we  have  2  A  4  and  for  the  partition  to  be  MR 
there  should  be  a  transition  3  A  4.  Thus  S3  has  no  MR  quotient 
different  from  itself  and  is  MR  minimal. 
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II.  Functional  equivalence 


A  family  H  of  morphism  is  said  to  be  anti-Church  Rosser 
(abbreviated  ACR)  iff  it  satisfies  the  properties 

-H  contains  the  identity 

-  H  is  closed  under  composition 

-  for  all  Si,  S2,  S3  and  morphisms  hi  and  I12  in  H  such  that 
S3  =  hi(Si)  =  h2(S2)  there  exists  a  transition  system  S  and  two  H- 
morphisms  h'i  and  h’2  satisfying 

hi(S)  =  Si  and  h2(S)  =  S2. 

Property  II.l  V  *he  family  H  Is  ACR  the  relation  between 
transition  systems  defined  by 

Si  ~H  S2  <=>  3  S  3  hi,  h2  e  H  Si=hi(S)  and  S2  =  h2(S) 
in  an  equivalence  relation. 

Proof  :  Indeed  we  just  have  to  check  the  transitivity  of  this 
relation. 

If  Si~h  S2  and  S2  ~H  S3  we  are  in  the  situation  described  by 
the  following  diagram 


2.H 


s 


S' 


and  using  the  ACR  property  we  can  complete  this  diagram  to  get 


S" 


S  S  S 

1  2  3 


Since  ho  hi  and  h'0  h'3  are  in  H  which  is  closed  by 
composition  this  diagram  proves  that  Si  ~  S3 
Property  II.2  The  family  Mor  of  all  morphisms  is  ACR. 

Proof  We  consider  the  amalgamated  product  Si  ®  S2  of  two 
transitions  systems. 

This  product  is  the  transition  system  S  given  by 

Q  =  Qi  x  Q2 

T  =  Ti  ®  T2  =  ((qi,  q2)  4  (q'j,  q'2)  I  qi  4 
q’l)  e  Ti  and  (q2  A  q’2)  e  T2} 

The  computations  of  Si  ®  S2  are  amalgamated  products  of 
computations  of  Si  and  S2  ie 
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(qo  qo)  A  (qi,  qi)  A  ...  A  (qn»»  qn)  is  a  computation  of 
Si  <g>  S2  iff  two  projections 

qoA  qi^  -  (qn,  Qn  and  qo  A  qi  A  -A  qn 
are  computations  of  Si  and  S2  respectively. 

If  S3  =  hi(Si)  =  h2(S2)  is  a  common  quotient  of  Si  and  S2 
and  7ci,  TC2  are  the  two  projections  of  Qi  X  Q2  onto  Qi  and  Q2 
one  has  Si  =  7ti(Si  ®  S2)  and  S2  =  ?t2(Si  ®  S2). 

Clearly  jci(Ti®  T2)  <lTi. 

The  reverse  inclusion  comes  from  the  easy  fact  that  if 

hi(Si)  =  h2(S2>  then  by  property  1.3  k(Ti)  =  ^(T2). 

Thus  for  every  (qi  A  q'i)  e  Ti  there  exists  (q2  A  q'2)  e  T2 
with  the  same  label  a  and  Ti®  T2  contains  (qi,q2)->  (q'l,  q'2) 
where  first  projection  is  qi  — >  q'l-  D 

The  two  equivalences  =Mor  and  <s'Mor  corresponding  to  the 
family  of  all  morphisms  are  identical  ie  one  has 

Si  =Mor  S2  <=>  MTl)  =  A,(T2)  <=>  Si  ^Mor  S2 
Property  II.2  The  family  F  of  functional  morphismls  is  ACR. 


We  prove  the  more  precise  property. 


Property  II.3  If  there  exists  two  functional  morphisms  h  2  and 
h  2  such  that  h  i(S  i)  =  h  2 (S  2)  then  the  two  projections  of  S  i®S  2 
onto  S  1  and  S  2  are  functional. 

Proof  Assume  hi  (Si)  =  h2(S2)  with  hi,  h2  e  F. 

Every  computation  in  S3  =  hi  (Si)  =  h2(S2)  is  the  image  under 
hi  (resp.  h2)  of  a  computation  in  Si  (resp.  S2).Thus  if  qo  qi 
...A  qn  is  a  computation  in  S3  there  exist  one  computation  in  Si, 
namely  qi  A  q2  ...  -4  qn 

and  one  computation  in  S2,  namely, 
qo  A  qiA  ...  A  qn  which  satisfy 

V  i  e  {0,...,n}  :  hi(  qi)  =  qi  and  h2(qi)  =  qi 

The  amalgamated  product  of  these  two  computations,  namely, 

(  qo»q  (qi»q)  (  qn»  qn) 

is  a  computation  in  Si®  S2. 

Thus  for  every  computation  ci  in  Si  one  can  find  a 
computation  C2  in  S2  such  that  h2(c2)  =  hi(ci)  and  ci  ®  C2  is  a 
computation  in  Si®  S2  clearly  satisfying  7ti(ci®  C2)  =  ci. 

We  have  proved  property  n.3  and  property  n.2. 

Definition  The  equivalence  "vf  associated  to  the  ACR  family  of 
functional  morphisms  is  called  the  functional  equivalence. 
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Theorem  II.1  Two  transitions  systems  are  functionally  equivalent 
iff  their  global  languages  are  identical. 

Proof  Si  ~h  S2  implies  the  existence  of  two  functional  moiphisms 
Li  and  I12  and  a  transition  system  S  such  that  Si=hi(S)  and  S2  = 
h2(S).  Since  hi  and  h2  are  functional  we  have 

£(Si)  =  £(S)  =  £(S2) 

Conversely  we  assume  that  S£-(Si)  =  S&(S2)  •  we  prove  that 
&(Si)  =  $t(S2)  =  £(Si®  S2)  and  that  the  two  projections  of 

51  ®  S2  onto  Si  and  S2  are  functional. 

Consider  a  word  u  =  ai...an  in  ^(Si)  and  a  computation  c  = 
qo  %  qi  %  ...%  qn  of  Si  such  that  X(c)  =  u.  Since  u  belongs  to 
^(S2)  there  exists  a  computation  c=  qo-^  qi qn  of 

52  such  that  X(  c)  =  u. 

The  amalgamated  product  of  c  and  c  is  a  computation  of 
Si®  S2  such  that  X(c  0  c)  =  u,  m(c  0  c)  =  c,  K2(c  0  c)  =  c. 
Thus  ^(Si)i_^(S2)  implies  £(Si)  =  &(Si®  S2)  and  the 
functionality  of  n\.  The  proof  follows  immediately.  □ 
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Functional  partitions 

In  this  paragraph  we  characterize  the  partitions  corresponding 
to  functional  morphisms,  called  functional  partitions  or  F-partitions. 
We  first  remark  that 

Property  III.4 

Each  component  of  a  F-partition  is  a  monoidal  subset  of  Q. 

Proof 

It  is  immediate  from  the  proof  of  property  1.7  and  the  fact  that 

the  morphism  h  is  functional.  This  implies  that  Comp(h(S)  I  {i}, 
{i},  {i})  =  h(Comp(S  I  Qi,  Qi,  Qi)  whence  &(h(S)  I  {i})  =  X(T  I 

Qi)*  =  &(S  I  Qi ).  □ 

Definition  II.  Let  Q’  be  a  monoidal  subset  of  Q  such  that  X(T  I 
Q’)  =  A'  and  2?/(S  I  Qi)  =  A*i.  We  say  that  a  pair  (Q'i,  Q’2)  of 

subsets  of  Q'  is  a  complete  input-output  system  for  Q'  iff 
A’*  =  u  {L(S  I  Q',q'i,  q'2)  I  q’l  e  Q’l,  q*2  e  Q’2} 

Theorem  II.2  The  following  conditions  are  necessary  and 
sufficient  for  a  partition  Q  =  Qiu  ...u  Qh  to  be  functional 

-  for  all  i  g  [h]  Qi  is  monoidal 

-  for  all  i,j  g  [h]  and  all  a  e  A  there  exists  two  subsets  of  Qi 
denoted  Qy>a  and  Qi,a,j  which  satisfy  the  following  conditions  : 

-  Qi,j,a  =  0  iff  (teTI  <x(t)  g  Qj ,  P(t)  g  Qi,  X(t)  =  a}  =  0 

-  Qi,a,j  =  0  iff  {t  e  T I  a(t)  g  Qi ,  P(t)  g  Qj,  X(t)  =  a)  =  0 

-  for  all  i,j,a, 


V  qj  6  Qj,a,i  v  qi  Qe  Qi,j,a  (qj  -»  qi)  e  T 
(Qi,  Qi,a,j)  and  (Qy,a,  Qi)  are  complete  input-output 
systems  of  Qi  if  Qi,aj  (resp.  Qi,j,a)  is  not  empty 
-  for  all  ij,^  s  [h  ],  a,b  s  A  if 
Qi,j,a  and  Qi,b,i  are  non  empty 
(Qi,j,a ,  Qi,b,i)  is  a  complete  input-output  system  of  Qi 

Proof  These  conditions  are  exactly  the  necessary  conditions  so  that 

we  can  make  a  computation  of  S  from  succession  of  computations  in 
S  I  Qix  followed  by  a  transition  from  Qi1  to  Qi2  then  a  computation 

in  S  I  Qi2  followed  by  a  transition  from  Qi2  to  Qi3  and  so  on. 
Intuitively  the  situation  is  described  by  the  following  figure 


We  have  only  expressed  that  there  are  enough  transitions 
between  the  components  of  a  partition  :  for  all  word  f  in  A*i2 

there  exists  a  computation  of  S  I  Qi2  from  one  state  in  Qi2  ij,a 
which  can  receive  a  transition  labeled  by  a  coming  from  qij  to  the 
origin  of  a  transition  labeled  by  b  going  to  Qiz  . 
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Proof  A  partition  satisfying  the  conditions  of  theorem  IL2  is  an  F- 
partition  : 

-  a  computation  in  h(S)  where  h  maps  Q  onto  [h]  can  be 
factorized  as  follows 

qij  ^  qj2  ^  qj3  -»  qjm  of  S I  Qj  such  that  all  the  qj 
belong  to  Qj. 

The  definition  of  complete  input-output  systems  implies  that  we 
can  always  take  (qjp  qjm)  in  (  Qi,  Qi )  if  (  Qi,  Qi)  is  a  complete 

input-output  system  for  Qi. 

Then  we  can  use  the  condition  of  theorem  II.2  to  find  a 
computation  in  S  which  is  mapped  by  h  onto  a  given  computation 
c'  of  h(S).  If  the  computation  c'  contains  as  a  factor 

...  ii  12%  \2%  13  ••• 


we  shall  replace  this  factor  by 


...  (%  qi2  ,  1  f241}  qi2,2  f242)  ...  f2-SD)  qi2,m  %  where  (qi2,l  , 
qi2,m)  e  (Qi2,ii,ai  ,  Qi2,a2,i3)  which  is  a  complete  input-output 
system  for  Qi2. 


The  leftmost  and  right  most  factors  will  be  replaced  by 

fi(l)  fi(m)  ,  _  ~  . 

qil9l  ^  ...  ->  qi^m  where  qi^m  e  Qi^,^ 

fn(l)  fn(m)  ,  ~ 

qim,l  *4  ...  qi„,m  where  qin.l  s 


3/ 


We  have  clearly  build  a  computation  c  in  S  such  that  h(c)  =  c'. 


The  same  argument  shows  the  necessity  of  the  condition  : 
assume  that  Q  =  Qiu  ...u  Qk  is  an  F-partition  and  consider  i,  j,  1 
e  [k],  a,  b  €  A  such  that  i^j  and  if  Qi,a,j  56  0  and 

Qi,b,l  *  0  we  have  in  h(S)  the  computation  c' : 


If  (Qi,j,a .  Qi,b,l)  is  not  a  complete  input  output  system  for 
Qi  then  we  can  find  an  f  e  26/  (h(S)  I  {i})  such  that  for  all 

computations  q^  qin  of  S  I  Qi  either  qi1  £  Qi,j,a  or  <lin  £ 

Qi,b,l- 


Thus  there  cannot  exist  a  computation  in  S 
a  f  b 

qj  ->  qij  qin  -»  qi 

which  is  mapped  by  h  on  c\  □ 

Exemple  The  following  system  Si  has  no  F-quotient. 


No  subset  of  { 1,  2,  3}  with  more  than  one  element  is  monoidal.  Let 
us  compute  the  deterministic  equivalent  S2  of  Si.  The  deterministic 
equivalent  S2  of  Si  is  surely  functionally  equivalent  to  Si. 


The  system  S2  has  an  F-quotient  (and  one  only). 

The  only  monoidal  subset  of  {12,  123,23,3}  with  two  elements  is 
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{23,  3}  but  the  corresponding  partition 


{12}  u  {23,  3}  u  {123}  is  not  an  F-partition  for  we  can  only 

take 

Q{23,  3},  {12},  a  =  {23} 

and  L(S2  I  {23,  3},  23,  {23,  3})  =a(aub)^(au  b)* 

The  only  monoidal  subset  with  3  elements  is  {123,  23,  3}  and  the 
partition  { 12}  u  { 123,  23,  3 }  is  an  F-partition  for  we  can  take 

Q{123,  23,  3},  {12},  a  —  {23}  and  Q{123,  232, 3},  c,  {12}  =  {123,  23,  3} 

And  {23},  {123,  23,  3}  is  a  complete  input  output  system  for 
{123,  23,  3}. 

The  corresponding  F-quotient  of  S2  is  S3 


Since  S2  Si  and  S2  ~f  S3  we  have  Si  ~f  S3.  We  can 
check  it  by  computing  Si  <S>  S3  =  S4 
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As  an  example  of  the  use  of  algebraic  methods  In  computer  science,  the 
theory  ACP,  dealing  with  concurrent  communicating  processes.  Is 
described. 


1.  INTRODUCTION.  ,  u 

Process  algebra  is  the  study  of  concurrent  communicating  processes  in  an  algebraic 
framework.  As  the  initiator  of  this  field  we  consider  R.  MILNER,  with  his  Calculus  of 
Communicating  Systems  [M80],  which  formed  the  basis  for  most  of  the  axiom  systems  in 
the  theory  ACP  of  BERGSTRA  &  KLOP  [BK84,  BK85].  The  endeavor  of  process  algebra 
is  to  treat  concurrency  theory  (the  theory  of  concurrent  communicating  processes)  in  an 
axiomatic  way,  just  as  for  instance  the  study  of  mathematical  objects  as  groups  or  fields 
starts  with  an  axiomadzation  of  the  intended  objects.  The  axiomatic  method  which  concerns 
us,  is  algebraic  in  the  sense  that  we  consider  structures  (also  called  process  algebras  by 
some  people)  which  are  models  of  some  set  of  (mostly)  equational  axioms;  these  structures 
are  equipped  with  several  operators.  Thus,  we  use  the  term  algebra  in  the  sense  of  model 
theory. 

There  is  ample  motivation  for  such  an  axiomatic-algebraic  approach  to  concurrency 
theory.  The  main  reason  is  that  there  is  not  one  definite  notion  of  process.  There  is  a 
staggering  amount  of  properties  which  one  may  or  may  not  attribute  to  processes,  there  are 
dozens  of  views  ( semantics )  which  one  may  have  on  (a  particular  kind  of)  processes,  and 
there  are  infinitely  many  models  of  processes.  So  an  attempt  to  organize  this  field  of 
process  theories  leads  very  naturally  and  almost  unavoidably  to  an  axiomatic  methodology 
-  and  a  curious  consequence  is  that  one  has  to  answer  the  question  "What  is  a  process?" 
with  the  seemingly  circular  answer  "A  process  is  something  that  obeys  a  certain  set  of 
axioms  ...  for  processes".  The  axiomatic  method  has  proven  effective  in  mathematics  and 
mathematical  logic  —  and  in  our  opinion  it  has  its  merits  in  computer  science  as  wel,  if  only 
for  its  organizing  and  unifying  power. 

Next  to  the  organizing  role  of  this  set-up  with  axiom  systems,  their  models  and  the 
study  of  their  relations,  we  have  the  obvious  computational  aspect.  Even  more  than  in 
mathematics  and  mathematical  logic,  in  computer  science  it  is  algebra  that  counts  -  the  well- 
known  etymology  of  the  word  should  be  convincing  enough.  For  instance,  in  a  system 
verification  the  use  of  transition  diagrams  may  be  very  illuminating,  but  especially  for 
larger  systems  it  is  evidently  desirable  to  have  a  formalized  mathematical  language  at  our 
disposal  in  which  specifications,  computations,  proofs  can  be  given  in  what  is  in  principle 
a  linear  notation  (evidenced  by  [B89]).  Only  then  can  we  hope  to  succeed  in  attempts  to 
mechanize  our  dealings  with  the  objects  of  interest  In  our  case  the  mathematical  language 
is  algebraic,  with  basic  constants,  operators  to  construct  larger  processes,  and  equations 
defining  the  nature  of  the  processes  under  consideration.  (The  format  of  pure  equations  is 
not  always  enough,  though.  On  occasion,  conditional  equations  and  some  infinitary  proof 
rules  are  used.)  To  be  specific:  we  will  always  insist  on  the  use  of  congruences,  rather  than 
mere  equivalences  in  the  construction  of  process  algebras;  this  in  order  to  preserve  the 
purely  algebraic  format 


*  Partial  support  received  by  ESPRIT  contract  432,  A  formal  integrated  approach  to  industrial  software 
development  (METEOR),  and  RACE  contract  1046,  Specification  and  Programming  Environment  for 
Communication  Software  (SPECS). 
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A  further  advantage  of  the  use  of  the  axiomatic-algebraic  method  is  that  the  entire 
apparatus  of  mathematical  logic  and  the  theory  of  abstract  data  types  is  at  our  disposal.  One 
can  study  extensions  of  axiom  systems,  homomorphisms  of  the  corresponding  process 
algebras.  One  can  formulate  exact  statements  as  to  the  relative  expressibility  of  some 

process  operators  (non-definability  results).  . 

Of  course,  the  present  axiomatizations  for  concurrency  theory  do  not  cover  the  entire 
spectrum  of  interest  Several  aspects  of  processes  are  as  yet  not  well  treated  in  the  algebraic 
framework.  The  most  notable  examples  concern  the  real-time  behaviour  of  processes,  and 
what  is  called  true  concurrency  (non-interleaving  semantics).  Algebraic  theories  for  these 
aspects  are  under  development  at  the  moment  (see  e.g.  Van  GLABBEEK  &  VaandraGER 

r/~«  V'Q'Tn 

In  our  view,  process  algebra  can  be  seen  as  a  worthy  descendant  of  ’classical'  automata 
theory  as  it  originated  three  or  four  decades  ago.  The  crucial  difference  is  that  nowadays 
one  is  interested  not  merely  in  the  execution  traces  (or  language)  of  one  automaton,  but  m 
the  behaviour  of  systems  of  communicating  automata.  As  Milner  and  also  HO  ARE  [H85] 
have  discovered,  it  is  then  for  several  purposes  no  longer  sufficient  to  abstract  me 
behaviour  of  a  process  to  a  language  of  execution  traces.  Instead,  one  has  to  work  with  a 
more  discriminating  process  semantics,  in  which  also  the  timing  of  choices  of  a  system 
component  is  taken  into  account.  Mathematically,  this  difference  is  very  sharply  expressed 
in  the  equation  x-(y  +  z)  =  x-y  +  x-Z,  where  +  denotes  choice  and  •  is  sequential 
composition;  x,y,z  are  processes.  If  one  is  interested  in  languages  of  execution  traces  (trace 
semantics),  this  equations  holds;  but  in  process  algebra  it  will  in  general  not  hold. 
Nevertheless,  process  algebra  retains  the  option  of  adding  the  equation  and  studying  its 
effect  In  fact  one  goal  of  process  algebra  is  to  form  a  uniform  framework  in  which  several 
different  process  semantics  can  be  compared  and  related.  One  can  call  this  comparative 

concurrency  semantics.  . 

We  bring  structure  in  our  theory  of  process  algebra  by  modularization,  i.e.  we  start 
from  a  minimal  theory  (containing  only  the  operators  +,-),  and  then  we  add  new  features 
one  at  at  time.  This  allows  us  to  study  features  in  isolation,  and  to  combine  the  modules  of 

the  theory  in  different  ways.  .  . 

In  the  following,  we  give  a  survey  of  the  theory  ACP  (Algebra  of  Communicating 

Processes)  as  introduced  in  [BK84], 

2.  Basic  process  algebra. 

Process  algebra  starts  with  a  given  set  A  of  atomic  actions  a,b,C,....  These  actions  are 
taken  to  be  indivisible  and  to  have  no  duration.  When  we  describe  a  certain  application,  we 
will  have  to  be  specify  what  are  the  atomic  actions  involved.  Thus,  the  set  A  will  form  a 
parameter  of  our  theory.  Each  atomic  action  is  a  constant  in  the  theory.  Actions  can  be 
combined  into  composite  processes  by  the  operators  +  and  \  +  is  alternative 
composition,  choice  or  sum,  and  •  is  sequential  composition  or  product.  Thus,  (a 
+b)-C  is  the  process  that  first  chooses  between  executing  a  or  b,  next  executes  C  and  then 
terminates.  Since  time  has  a  direction,  product  is  not  commutative;  but  sum  is,  and  in  fact  it 
is  stipulated  that  the  options  (summands)  possible  in  some  state  of  the  process  form  a  set. 
Formally,  we  will  require  that  all  processes  x,y,...  satisfy  the  axioms  in  table  1. 


x  +  yssy  +  x 

(x  +  y)  +  z  =  x  +  (y  +  z)  A2 
x  +  x  =  x  A3 
(x  +  y)-z  =  x-z  +  y-z  A4 
(x-y)-z  =  x-(yz) _ _ _ £$ 


Table  1.  BPA. 

We  often  leave  out  brackets  and  the  product  sign,  as  in  regular  algebra.  Product  will  bind 
more  strongly  than  other  operators,  sum  will  bind  more  weakly.  Thus,  xy  +  z  means  (x-y) 
+  z.  The  theory  in  table  1  is  called  Basic  Process  Algebra  or  BPA. 
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We  do  not  include  an  axiom  x(y  +  z)  =  xy  +  xz  because  the  moment  of  choice  in  both 
processes  is  different,  and  this  difference  is  important  in  many  applications.  For  instance,  a 
game  of  Russian  roulette  could  be  described  by  spirvclick  +  spirvbang,  but  not  by 
spirv(click  +  bang). 

3.  termination. 

Let  us  again  consider  sequential  composition  of  processes.  If  in  process  x-y  component  x 
has  performed  all  its  actions,  and  can  do  nothing  more,  it  has  terminated  successfully  and 
process  y  starts.  But  if  process  x  consists  of  a  number  of  concurrently  operating 
components,  that  at  some  point  are  all  waiting  for  a  communication  from  another 
component,  then  x  also  cannot  perform  any  more  actions,  but  in  such  a  situation  we  do  not 
want  that  y  start  In  the  second  case,  we  say  x  has  terminated  unsuccessfully,  is  in  a  state 
of  deadlock,  and  no  action  is  possible  any  more.  Thus,  we  want  to  distinguish  between 
successful  and  unsuccessful  termination.  We  use  the  constant  8  for  unsuccessful 
termination.  The  laws  for  this  constant  are  in  table  2. 


I  x  +  5  =  x 

A6 

8-x  =  8 

A7 

Table  2.  Deadlock. 

Now  we  can  give  a  more  formal  argument  for  rejection  of  the  law  x(y  +  z)  =  xy  +  xz:  a 
consequence  is  ab  =  a(b  +  5)  =  ab  +  a5,  and  this  means  that  a  process  with  deadlock 
possibility  is  equal  to  one  without  In  most  applications,  it  is  important  to  model  deadlock 
behaviour,  so  this  is  an  unwanted  identification. 

It  sometimes  has  advantages  to  also  include  a  special  constant  for  successful 
termination.  For  this  purpose,  the  empty  process  e  is  often  used,  with  laws  ex  =  x  =  xe. 

4.  INTERLEAVING. 

If  we  look  at  the  parallel  composition  x  II  y  of  processes  x  and  y  from  the  outside,  we 
will  see  that  the  atomic  actions  of  x  and  y  are  interleaved  or  merged  in  time  (since  we 
assume  they  have  no  duration).  Thus,  at  each  point  in  time,  the  next  action  will  either  come 
from  x  or  from  y.  In  order  to  get  a  finite  axiomatisation  for  the  parallel  composition  or 
merge,  we  will  use  an  auxiliary  operator  IL  (left-merge),  x  ILy  is  just  like  x  II  y,  but  with  the 
restriction  that  the  first  step  comes  from  x. 


xlly  =  xlLy +  ylLx  MT 

alLx  =  ax  M2 

axlly  =  a(xlly)  M3 

(x  +  y)JLz  =  x  ILz  +  y  ILz _ M4 


Table  3.  Interleaving. 


The  theory  with  constants  A,  operators  +,*,  II ,  IL  and  axioms  in  tables  1  and  3  is  called  PA. 
Axioms  M2  and  M3  are  actually  axiom  schemes :  we  have  such  an  axiom  for  each  a  e 
Au{8}.  With  the  axioms  of  PA,  we  can  eliminate  the  operators  II ,  IL  from  all  closed  terms. 
In  fact,  this  elimination  takes  the  form  of  a  term  rewrite  system.  Thus,  merge  becomes  a 
defined  operator  on  closed  terms  (but  not  on  infinite  processes,  defined  by  means  of 
recursive  equations). 

5.  Communication. 

Parallel  composition  between  processes  is  not  interesting  without  some  form  of 
communication.  For  this  reason,  we  extend  the  merge  operator  of  section  4  to  include  the 
possibilities  for  communication.  First,  we  need  to  say  which  atomic  actions  can 
communicate,  which  actions  are  communication  partners.  For  this  reason,  we  assume  we 
have  a  communication  function  y  given  on  the  set  of  atomic  actions  A.  This  is  a  partial 
binary  function  on  A;  if  y(a,b)  =  C,  we  say  that  a  and  b  communicate,  and  the  result  of  the 
communication  is  C;  if  y(a,b)  is  undefined,  we  say  that  a  and  b  do  not  communicate.  We 
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do  not  restrict  ourselves  beforehand  to  binary  communication  only,  but  will  require  that  y  is 
commutative  and  associative,  i.e.  for  all  B,b,c  s  A  we  have 
y(a,b)  =  y(b,a) 

and  either^ side  of  these^eqi^tions  *  is  defined  exactly  when  the  other  side  is.  Now,  the 

parameters  of  our  theory  are  A  and  y.  .  .  .  , 

In  order  to  incorporate  the  possibility  for  communication  in  the  merge  operator,  we  use 
an  additional  auxiliary  operator  I  (communication  merge).  Now,  x  I  y  is  just  like  x  It  y,  but 
with  the  restriction  that  the  first  step  is  a  communication  step  between  x  and  y.  In  table  4, 
a,b  e  Au{5},  and  x,y,z  are  arbitrary  processes. 


if  y(a,b)  is  defined 
otherwise 


al  b=Ma,D)  it  Yia,D;  is 

a  I  b  =  o  otherwise 

xlly=xlLy+ylLx+xly 
alLx  =  ax 

S&lS'xt*.  ytz 
ax  I  b=(a  I  b)x 
a  I  bx=(a  I  b)x 
ax  I  by=(al  b)(xlly) 

(x+y)  I  z=x  I  z+y  I  z 
xl  (y+z)=xly+xlz 
Table  4.  Merge  with  communication 


CF1 

CF2 

CM1 

CM2 

CM3 

CM4 

CM5 

CM6 

CM7 

CM8 

CM9 


6.  Encapsulation.  '  .  .  .  ., 

In  communicating  systems,  we  often  want  that  communication  partners  should 
communicate,  and  not  occur  by  themselves.  In  order  to  block  unwanted  occurrences  of 
such  actions,  we  need  the  encapsulation  operators  9h*  Here,  H  is  a  set  of  atomic 
actions  (H  c  A),  and  9h  wifi  block  all  actions  from  H,  by  renaming  them  into  5. 


The  axioms  in  table  1,2,4  and  5  together  constitute  the  axiom  system  ACP  (Algebra  of 
Communicating  Processes)  of  BERGSTRA  &  KLOP  [BK84],  Typically,  a  system  of 
communicating  processes  x-|  ,...,Xn  is  represented  in  ACP  by  the  expression  9h(xi  II  •••  II  Xn), 
where  H  will  contain  all  communication  'halves'  occurring  in  the  parallel  composition. 

This  language  (with  some  extra  defined  operators)  has  been  used  extensively  in  [1]  in 
system  specification.  In  order  to  do  system  verification ,  it  is  necessary  to  tackle  the  issue  of 
abstraction  as  in  [BK85]. 
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Abstract 

In  any  model  of  computation  that  distinguishes  concurrency  from  nondeterminism,  it  is 
useful  to  be  able  to  independently  associate  structure  with  each  of  these  notions.  To  this  end, 
we  develop  a  categorical  definition  of  process  based  on  the  pomset  model  parametrized  on  the 
choices  of  temporal  structure  and  notion  of  nondeterminism. 


1  Introduction 


Partial  order  based  models  of  concurrency  [Gre75,  Gra81,  NPW81,  MS80,  Pra82,  PW84]  vary  in 
their  treatment  of  nondeterminism.  Emulating  formal  language  and  trace  theory,  the  labeled  partial 
order  (also  called  a  partially  ordered  multiset  —  pomset)  model  of  Grabowski  [Gra81]  and  Pratt 
[Pra82]  defines  a  process  to  be  a  set  of  behaviours,  a  behaviour  being  a  set  of  events,  a  collection  of 
timing  constraints  on  the  events,  and  a  labeling  associating  each  event  with  an  action  from  another 
set  (the  alphabet).  1  In  the  original  version,  a  behaviour  is  simply  a  pomset,  that  is,  the  timing 
constraints  are  given  by  a  partial  order. 

In  this  scheme,  the  notion  of  behaviour  is  strictly  a  deterministic  one;  all  events  of  the  behaviour 
must  occur.  Real  nondeterminism  (as  opposed  to  the  spurious  nondeterminism  introduced  by  the 
observation/interleaving  of  concurrent  events  —  a  distinction  that  makes  sense  from  the  “true 
concurrency”  point  of  view)  only  appears  at  the  upper  level  where  a  choice  is  made  concerning 
which  of  the  alternative  behaviours  of  the  process  is  to  be  executed.  This  “disjunctive  normal 

*  Based  partially  on  work  supported  by  an  NSF  Graduate  Fellowship 

xThe  Petri  net  literature  refers  to  events  as  event  occurrences  and  to  actions  as  events. 
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form”  representation  for  processes  has  the  advantage  of  allowing  us  to  treat  the  nondetermimstic 
and  concurrent  aspects  somewhat  independently.  2 

In  other  work,  we  (with  Casley,  Meseguer  and  Pratt  [CCMP89])  generalized  the  notion  of  behaviour 
to  include  other  forms  of  temporal  constraint  besides  that  given  by  a  partial  order.  Alternative  tim¬ 
ing  schemes  included  preorders,  prosset  orders  (as  defined  in  [GP87]),  and  premetric  spaces  [Law73], 
to  name  a  few.  Particularly  important  to  us  was  the  ability  to  provide  rather  clean  categorical  def¬ 
initions  for  many  of  the  operations  on  behaviours  described  in  [Gis84,  Pra86]  (e.g.,  concurrence, 
concatenation,  orthocurrence,  pomset-definables)  which  did  not  depend  on  the  underlying  temporal 
structure  being  that  of  a  partial  order. 

We  now  want  to  accomplish  the  same  for  full-fledged  processes  that  include  actual  nondeterminism. 
How  should  the  notion  of  process  change  as  we  change  the  timing  schemes  for  events?  As  with 
the  behaviours  it  is  important  that  we  provide  suitably  abstract  definitions  for  the  major  process 
operations  described  in  [Gis84,  Pra86]  if  we  expect  to  use  them  in  specifications  involving  notions 
of  temporal  constraint  more  detailed  than  that  of  partial  orders. 

As  with  timing  schemes,  other  notions  of  nondeterminism  can  also  be  considered.  For  example, 
[BM84]  consider  notions  providing  each  alternative  behaviour  with  a  path  count  (number  of  ways 
of  producing  this  alternative)  or  a  predicate  governing  the  occurence  of  each  alternative.  These 
possibilities  should  also  be  included  in  our  process  model. 

In  this  paper  we  achieve  both  of  these  goals  with  our  model,  in  effect  composing  the  two  categories 
representing  the  disjunctive  and  conjunctive  structure  respectively.  We  can  also  introduce  structure 
between  the  alternatives  as  well;  the  set  of  alternatives  becomes  a  category  including  partial  stages 
in  a  computation  as  well  as  completed,  behaviours. 

The  construction  starts  with  an  appropriate  category  of  behaviours  B  (the  conjunctive  structure). 
If  we  consider  behaviours  to  represent  the  actions  taken  by  a  system  or  a  component  of  a  system, 
a  behaviour  morphism  is  best  viewed  for  our  purposes  as  mapping  the  actions/events  of  subcom¬ 
ponents  into  those  of  larger  components  which  contain  them.  Each  event  of  the  subcomponent 
appears  somewhere  in  the  larger  component;  the  morphism  tells  us  where.  One  useful  consequence 
of  this  particular  interpretation  is  that  given  a  diagram  of  component  behaviours,  we  can  derive 
the  full  system  behaviour  by  the  simple  expedient  of  taking  a  colimit. 

When  considering  the  nondeterministic  aspect,  we  notice  that  this  relationship  is  reversed;  each 
alternative  available  to  the  component  implies  a  particular  alternative  in  the  stt&component.  This 
reversal  is  a  consequence  of  the  disjunctive  nature  of  processes  versus  the  conjunctive  nature  of 
behaviours.  We  then  take  a  process  P  to  be  a  set  Ap  indexing  the  available  alternatives,  together 
with  a  function  P  :  Ap  -*■  B  identifying  the  behaviours. 


2 Contrast  this  with  other  models  that  incorporate  the  nondeterministic  and  concurrent  aspects  into  a  single 
one-level  structure  (e.g,  event-structures). 


Ap  can  also  be  thought  of  as  a  discrete  category  with  P  a  functor. 


A  process  morphism  /  :  P  — »  Q  then  consists  of  a  functor  Af  :  Aq  — *  Ap  (note  the  reversal)  and  a 
natural  transformation  :  PAf  — ►  Q.  (there  are  variants  of  this  construction  taking  into  account 
the  alphabets  of  the  behaviours  of  B  which  will  discussed). 

The  disjunctive  structure  is  handled  similarly,  wherein  we  have  a  suitable  category  £  of  e.g.,  predi¬ 
cates  or  multiplicities.  Our  notion  of  process  will  then  also  include  a  (contra)fiinctor  P1 :  Ap  —*  £, 
while  process  morphisms  now  include  a  natural  transformation  Cf  ’•  Q'  P' Af.  We  leave  open 
both  the  choice  of  behaviour  notion  B  and  the  choice  of  nondeterminism  notion  £ . 

As  with  the  behaviours  we  get,  assuming  B  and  £  are  sufficiently  well  behaved,  generalizations  of 
the  various  process  operations  defined  for  many  pomset  processes  described  in  [Pra86]  and  [Gis84] 
by  taking  them  to  be  appropriate  limits  or  colimits  (e.g.,  union  is  a  product,  concurrence  is  a 
coproduct).  Fixpoint  constructions  [AK79,  PS78]  can  also  work.  We  again,  as  with  behaviours, 
obtain  a  straightforward  notion  of  system  composition  from  taking  colimits,  albeit  a  somewhat 
different  one  from  those  previously  proposed  (i.e.,  Y-section  [Gra81],  utilization  [Pra86]  and  fusion 
[GP87]). 
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Equality-Test  and  If-Then-Else  Algebras: 
Axiomatization  and  Specification 

Don  Pigozzi 
Iowa  State  University 


Many  of  the  data  structures  that  arise  in  practice  include  a  Boolean  sort  together  with  equal¬ 
ity  tests  for  the  elements  of  each  non-Boolean  sort;  in  some  cases  they  also  include  if-then-else 
operations  that  select  elements  of  a  data  domain  on  the  basis  of  a  Boolean  test.  We  find  a  finite 
set  of  conditional  equations  and  a  finite  set  of  ordinary  equations  that  axiomatize  respectively 
the  classes  of  equality-test  and  if-then-else  algebras  of  each  appropriate  signature.  We  show  that 
for  equality-test  algebras  conditional  specification  is  as  powerful  as  universal  specification,  and 
equational  specification  is  as  powerful  as  universal  specification  in  the  presence  of  the  if-then-else 
operations.  We  also  investigate  the  power  of  conditional  and  equational  specifications  when  the 
equality  tests  and  if-then-else  operations  are  hidden. 


Equality-test  Algebras 

A  signature  E  is  an  equality-test  signature  it  it  has  a  sort  bool  with  operation  symbols  and,  or,  not, 
true,  false,  and,  for  each  sort  s  bool,  an  operation  symbol  eq3  :  ss  -*  bool.  A  E-algebra  A  is  an 
equality-test  algebra  if  S  contains  a  sort  bool  such  that  A  hoot  is  the  two-element  Boolean  algebra, 
and,  for  each  s  6  S  \  {bool},  E,,400/  contains  a  operation  symbol  eqs  such  that 


if  a  =  b; 
if  a  ^  6. 


The  class  of  all  equality-test  E-algebras  is  denoted  by  ETs;  the  subscript  s  is  omitted  when  there 
is  no  chance  of  confusion. 

A  E-algebra  A  is  a  generalized  equality-test  algebra  if  E  is  an  equality-test  signature  and  A 
satisfies  the  following  set  of  equations  and  conditional  equations  (<p  <  V*  stands  for  the  Boolean 
equation  not  tp  or  «  true). 

(Axge^)  A  standard  system  of  equational  axioms  for  Boolean  algebras; 


for  each  s  6  S\  {bool}: 

(Axget2)  eq3(x,x)  «  true; 

(Axget3)  eqs(x,y)  <  eqa(y,a ;); 

(Axget4)  eqa(x,y)  and  eq3(y,z)  <  eq3(x,z)] 

(Axget5)  eqao(x0,y0)and  ...and  eq^^Xn-i^n-i)  <  eq3(<r(x0, . . .  ,x„_i),cr(a:o,  •  •  • ,  *n-i)), 

for  each  o  6  Ew,a  with  w  =  sqSi  •  • .  s„-i; 


(Axget6)  eq3(x,y)  «  true 

This  set  of  axioms  is  denoted  by  AXGETe,  and  the  quasivariety  of  all  generalized  equality- test 
E-algebras,  i.e.,  the  class  of  models  of  AXGETs,  is  denoted  by  GETs. 

The  following  theorem  is  the  analogue  for  generalized  equality  test  algebras  of  the  Stone  rep¬ 
resentation  theorem  (in  algebraic  form)  for  Boolean  algebras. 


GET- Representation  Theorem.  Every  generalized  equality-test  algebra  is  isomorphic  to  a 
subalgebra  of  a  Cartesian  product  of  equality-test  algebras.  More  generally,  given  any  set  E  of 
equations,  every  generalized  equality-test  algebra  that  satisfies  E  is  isomorphic  to  a  subalgebra  of 
a  Cartesian  product  of  equality-test  algebras  that  satisfy  E. 

Corollary.  GET  is  the  smallest  quasivariety  that  contains  all  equality-test  algebras.  Hence 
AXGET  is  a  base  for  the  conditional  equations  of  ET . 

Corollary.  Let  K  be  a  sub  quasivariety  of  GET  defined  relative  to  GET  by  any  set  E  of  iden¬ 
tities.  Then  the  initial  algebra  of  K  can  be  represented  as  the  minimal  subalgebra  of  the  Cartesian 
product  of  all  equality-test  data  structures  that  satisfy  E. 

It  follows  that  an  equality-test  data  structure  can  be  an  initial  algebra  of  K  iff  it  is  the  only 
equality-test  data  structure  (up  to  isomorphism)  satisfying  E.  In  this  case  it  is  clearly  also  the  final 

algebra  of  K. 

Specification  of  Equality-Test  Algebras 

A  data  structure  A  is  a  heterogeneous  algebra  that  is  minimal  in  the  sense  that  it  has  no  proper 
subalgebras.  If  there  is  at  least  one  ground  term  of  each  sort,  then  a  data  structure  may  be 
characterized  as  a  heterogeneous  algebra  in  which  each  element  is  denoted  by  a  ground  term.  (A 
ground  term  is  any  term  without  variables.) 

Let  E  be  any  signature,  A  a  E-data  structure,  and  T  a  set  of  first-order  E-sentences.  T  is  an 
initial  specification  of  A  if  A  is  the  initial  object  in  the  category  whose  objects  are  the  minimal 
subalgebras  of  models  of  T  and  whose  morphisms  are  homomorphisms.  (If  T  is  a  set  of  universal 
sentences,  then  it  is  an  initial  specification  in  the  above  sense  iff  A  is  initial  in  the  category  of 
models  of  T.)  T  is  a  final  specification  of  A  if  A  is  the  final  (i.e.,  terminal)  object  in  the  category 
of  non-trivial  minimal  subalgebras  of  models  of  T.  (This  particular  notion  of  final  specification 
is  due  to  Bergstra  and  Tucker  [SIAM  J.  Comput.,  12(1983)]).  A  specification  T  is  complete  if  it 
is  at  the  same  time  initial  and  final.  A  specification  is  universal,  conditional, ,  or  equational  if  T 
is  respectively  a  set  of  universal  first-order  sentences,  conditional  equations  (quasi-equations),  or 
equations. 

Let  E  be  and  equality-test  signature.  For  each  quantifier-free  E-formula  <p  we  define  a  bool-term 
ip*,  with  the  samp  variables  as  <p,  by  recursion  on  the  structure  of  <p.  If  <p  is  an  s-equation  t  «  r, 
then  <p*  =  eq3(t,r).  (<p  A  rf>)m  =  {<?)  and  (V>*),  (<P  V  $)m  =  (<P*)  or  (^*),  and  (-■ <p )*  =  not(<p*). 
The  definition  is  extended  to  universal  sentences:  If  <p  is  a  universal  sentence,  and 

Vx0Vxi  •  •  •  Vz„_iv?'(x0, . . . ,  ar»-i) 

is  its  prenex  normal  form  with  iff  quantifier-free,  then  ip*  =  <p  . 

<p*  is  called  the  Boolean  transform  of  ip.  For  any  set  T  of  universal  sentences  let  E(T)  =  { <p*  : 

^r}. 

Theorem  1.  Let  T  be  an  arbitrary  set  of  universal  sentences.  The  relative  subvariety  of  GET 
defined  by  E(T)  U  AXGET  is  the  smallest  quasivariety  containing  all  equality-test  algebras  that 
satisfy  V.  Hence  E(T)U  AXGET  is  a  base  for  the  conditional  equations  of  the  equality-test  algebras 
that  satisfy  T. 

This  theorem  provides  the  means  for  converting  any  universal  initial  or  final  specification  of  an 
equality-test  algebra  into  a  conditional  complete  specification. 


Corollary.  Let  T  be  an y  set  of  universal  sentences ,  and  let  A  be  an  equality-test  data  struc¬ 
ture.  If  T  is  either  an  initial  or  final  specification  of  A,  then  E(T)  U  AXGET  is  a  conditional 
complete  specification  of  A. 

Corollary.  Every  equality-test  data  structure  that  has  a  finite  universal  initial  specification 
is  computable. 

Conditional  Specifications  with  Hidden  Sorts  and  Operations 

We  extend  the  results  of  the  last  section  to  data  structures  that  are  not  equality-test  algebras.  A 
signature  E*  is  an  enrichment  of  S  if  the  sort  set  Sf  of  E*  includes  the  sort  set  S  of  E  and  Ey,  a  C  Sw  s 
for  all  tt?  s  €  5*  X  5.  A  E'-algebra  A'  is  an  enrichment  of  a  E-algebra  A  if  A  is  obtained  from 
A!  by  disregarding  the  additional  sorts  and  operations.  In  this  case  A  is  called  a  reduct  of  A  and 
is  denoted  by  A'|s.  A  set  of  E'-sentences  is  an  initial  ( final l,  complete )  specification  of  a  E-data 
structure  A  with  hidden  sorts  and  operations  if  it  is  an  initial  (final,  complete)  specification  of  some 
E'-enrichment  of  A. 

Let  E  be  an  arbitrary  signature.  The  equality-test  signature  E+  is  obtained  by  enriching  E 
with  a  new  Boolean  sort  newbool  and  a  new  binary  operation  eq3  for  each  sort  s  of  E.  newbool  is 
called  the  hidden  sort  and  the  eqa  the  hidden  operations  of  E+.  For  an  arbitrary  E-algebra  A  the 
equality-test  enrichment  A+  of  A  is  defined  in  the  obvious  way. 

We  have  the  following  extension  of  Theorem  1. 

Theorem  2.  Let  E  be  any  signature  and  T  any  set  of  universal  E-sentences.  Let  K  be  the 
relative  subvariety  of  GETS+  defined  by  E(T)  U  AXGETS+ .  Then  K|s  is  the  smallest  quasivariety 
containing  all  E-algebras  that  satisfy  T.  Hence  E(T)  U  AXGETS+  is  a  base  for  the  conditional 
equations  of  the  models  of  I\ 

Corollary.  Let  E  be  any  signature,  T  any  set  of  universal  E-sentences,  and  A  a  E-data 
structure.  If  T  is  an  initial  specification  of  A,  then  E(T)  U  AXGETe+  is  a  conditional  specification 
of  A  with  hidden  sort  and  operations. 

In  contrast  to  the  case  for  equality-test  data  structures,  this  conditional  specification  is  not 
in  general  complete.  In  fact,  if  T  is  a  universal  specification  of  a  data  structure  A  of  arbitrary 
signature  E  and  T  has  no  nontrivial  models,  then  E(r)  U  AXGET 2+  is  a  conditional  complete 
specification  of  A  with  hidden  sort  and  operations  iff  T  is  a  universal  complete  specification  of  A. 

If-Then-Else  Algebras 

A  signature  E  is  called  an  if-then-else  signature  if  it  is  an  equality-test  signature  and,  in  addition, 
there  exists  an  operation  symbol  [_,  _]a  :  boolss  — ►  s  for  each  sort  s  £  bool.  A  E-algebra  A  is 
an  if-then-else  algebra  if  E  is  an  if-then-else  signature,  A  is  an  equality-test  algebra,  and,  for  each 
s  e  S\  {bool}  and  all  6  6  A*™/  and  a0,ai  €  A„ 

, ,  iA  _  /  «o,  if  b  =  true; 

l  >a05aiJj  ^  0j,  otherwise  (i.e.,  b  =  false). 

The  class  of  all  if-then-else  algebras  is  denoted  by  ITEe- 

Let  E  be  an  if-then-else  signature,  and  let  AXGITEs  be  the  set  of  equations  obtained  from 
the  axioms  AXGETe  by  replacing  the  one  conditional  axiom,  eq3(x,y)  «  true  — ►  x  «  y,  by  two 
equational  axioms: 

[true,  x,  y]s  «  x,  [eqs(x, y),  x ,  y]4  «  y. 


Any  E-algebra  satisfying  AXGITEs  is  called  a  generalized  if-then-else  algebra.  The  variety  of 
generalized  if-then-else  algebras  is  denoted  by  GITEg. 

GITE-Representation  Theorem.  Every  generalized  if-then-else  algebra  is  isomorphic  to  a 
subalgebra  of  a  Cartesian  product  of  if-then-else  algebras.  More  generally,  given  any  set  E  of 
equations,  every  generalized  if-then-else  algebra  that  satisfies  E  is  isomorphic  to  a  subalgebra  of  a 
Cartesian  product  of  if-then-else  algebras  that  satisfy  E. 

Corollary.  GITE  is  the  smallest  quasivariety  and  also  the  smallest  variety  that  contains  all 
if-then-else  algebras.  Hence  AXGITE  is  a  base  for  the  conditional  equations  of  ITE. 

We  also  have  the  following  analogues  of  Theorem  1  and  its  first  corollary;  compare  Bloom  and 
Tindell  [SIAM  J.  Comput.,  12(1983)],  Guessarian  and  Meseguer  [SIAM  J.  Comput.,  16(1987)],  and 
Mekler  and  Nelson  [SIAM  J.  Comput.,  16(1987)]. 

Theorem  3.  Let  T  be  an  arbitrary  set  of  universal  sentences.  The  subvariety  of  GITE  defined 
by  E(T)  U  AXGITE  is  the  smallest  quasivariety  and  also  the  smallest  variety  containing  all  if-then- 
else  algebras  that  satisfy  T.  Hence  E(T)  U  AXGITE  is  a  base  for  the  conditional  equations  of  the 
if-then-else  algebras  that  satisfy  T. 

Corollary.  Let  T  be  any  set  of  universal  sentences,  and  let  A  be  an  if-then-else  data  structure. 
If  T  is  either  an  initial  or  final  specification  of  A,  then  E(T)  U  AXGITE  is  a  conditional  complete 
specification  of  A. 

The  if-then-else  enrichments  E+  of  an  arbitrary  signature  E  and  A+  of  an  arbitrary  E-algebra 
A  are  defined  in  the  obvious  way. 

Theorem  2  and  its  corollary  do  not  carry  over  intact  to  if-then-else  algebras.  Their  proofs 
depend  on  the  fact  that  none  of  the  hidden  operations  of  the  equality-test  enrichment  has  a  visible 
sort  as  target.  The  best  that  can  be  obtained  are  the  following. 

Theorem  4.  Let  E  be  any  signature  and  F  any  set  of  universal  E -sentences.  Let  K  be  the 
subvariety  of  GITES+  defined  by  E(T)  U  AXGITES+.  Then  the  class  of  subalgebras  of  K|s  is  the 
smallest  quasivariety  that  contains  all  E-algebras  that  satisfy  T.  Hence  E(T)  U  AXGITEj.  is  an 
equational  base  for  the  conditional  equations  of  the  models  of  T. 

Corollary.  Let  T  be  any  signature,  V  any  set  of  universal  E-sentences,  and  A  a  E-data 
structure.  If  T  is  an  initial  specification  of  A,  then  A  is  isomorphic  to  the  minimal  subalgebra  of 
B|s  where  B  if  the  initial  algebra  of  the  subvariety  of  GITE  defined  by  E(T)U  AXGETS+. 

Thus  a  finite  universal  initial  specification  of  an  arbitrary  data  structure  A  can  always  be 
transformed  into  a  finite  equational  initial  specification  of  a  generalized  if-then-else-algebra  B  with 
the  property  that  A  is  a  subalgebra  of  the  reduct  of  B.  A  need  not  be  the  entire  reduct  of  B  however, 
so  in  general  we  do  not  get  an  equational  specification  of  A  with  hidden  sort  and  operations  in  the 
usual  sense. 

However  we  do  have  that,  if  T  is  a  universal  specification  of  a  data  structure  A  and  T  has 
no  non- trivial  models,  then  E(T)  U  AXGITE £+  is  a  equational  complete  specification  of  A  with 
hidden  sort  and  operations  iff  T  is  a  universal  complete  specification  of  A.  Compare  Bergstra  and 
Tucker  [Technical  Report  IW  156,  Math.  Cent.,  Amsterdam,  1980]. 
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For  us,  a  petri  net  is  a  Place/Transition  Net.  The  syntax  can  be  a  bipartite  di¬ 
graph  with  constraints  and  firing  rules  as  in  [R82]  or  categorically  motivated  monoids  as 
in  [MM88a,MM88b].  The  operational  semantics  of  petri  nets  is,  roughly  speaking,  given 
by  finite  sequences  of  markings  determined  by  the  graph  structure,  the  constraints  and  the 
firing  rules.  Other  related  models  include  [Stk87,Win84,Win87].  Here  we  say  dynamics  for 
the  operational  semantics  of  petri  nets. 

The  dynamics  progresses  by  a  convolution,  [Ros88,MB84],  which  is  a  commutative 
monoid  on  a  well  supported  compact  closed  structure  [Car88].  The  algebraic  structure 
of  petri  nets  follows  from  the  general  structure  theorems  in  [CW87,Car88]  or  indeed  earlier 
papers. 

Since  more  than  one  transition  can  be  enabled  in  a  given  marking,  there  may  be  several 
different  follower  markings  from  a  given  marking.  Therefore  the  dynamics  is  in  general 
nondeterministic. 

In  this  dynamics  there  is  a  natural  notion  of  discrete  time.  Each  time  step,  or  tick, 
corresponds  to  an  attempt  to  cause  all  the  transitions  to  fire.  But,  in  this  dynamics,  even 
enabled  transitions  may  choose  not  to  fire.  So  one  of  the  nondeterministic  choices  is  that 
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no  transitions  fire  on  a  given  tick.  Therefore  a  follower  marking  may  be  identical  to  the 
predecessor  marking.  But  this  identity  does  not  mean  no  transition  has  fired,  since  there 
are  petri  nets  in  which  the  result  of  certain  firings  result  in  the  same  marking  as  before  the 
firing.  This  is  not  a  defect  in  the  choice  of  dynamics  as  the  operational  syntax.  We  agree 
that  the  intention  of  a  petri  net  is  solely  to  move  indistinguishable  tokens  from  place  to  place 
in  the  petri  net.  If  the  act  of  firing  is  of  particular  interest,  one  may  add  a  distinguished 
output  place  to  each  transition.  Each  transition  adds  a  token  to  this  distinguished  place. 
In  this  modified  petri  net,  the  number  of  tokens  in  each  of  the  additional  places  records  the 
number  of  times  the  transition  has  fired. 

The  transitions  of  the  petri  net  specify  nondeterministic  functions,  roughly  from  input 
places  to  output  places,  by  a  delicate  transformation  from  the  firing  rules  to  the  genera¬ 
tors  of  the  nondeterministic  functions.  The  places  of  the  petri  net  specify  nondeterministic 
distribution  functions  from  the  places  to  the  inputs  to  the  transitions.  These  distribution 
functions  forward  tokens  to  the  transitions  in  all  possible  ways.  The  distribution  functions 
are  denoted  by  A.  Additionally,  the  places  of  the  petri  net  specify  nondeterministic  collec¬ 
tion  of  functions  from  the  outputs  of  the  transitions  to  the  places.  The  collection  functions 
simply  stack  all  incoming  tokens  at  the  place.  These  functions  are  denoted  by  V. 

Finally,  we  include  an  image  transition  for  each  place.  The  image  transitions  simply 
copy  input  to  output.  This  describes  the  intuition  that  at  any  time  tick,  some  or  all  of  the 
tokens  at  a  place  remain  at  that  place.  We  send  such  tokens  through  the  image  transition 
associated  with  the  place.  For  example,  a  petri  net  with  one  place,  one  transition  and  set  of 
nondeterministic  markings  M  has  a  distribution  function 

A  :  M  — *  M  0  M 


H2> 


which  sends  the  tokens  at  the  place  either  to  the  left  or  the  right  in  all  possible  ways.  The 
tensor  is  symmetric  monoidal,  as  in  [Mac71,Ben82,Ben87,Ben89].  For  n  tokens,  the  result 
of  the  distribution  is  the  nondeterministic  sum  of  pairs 

nA  =  k  0  p. 

k+p=n 

The  collection  function  from  transition  outputs  to  the  place  has  signature 

V  :  M  ®  M  — ♦  M. 

With  k  tokens  on  the  left  and  p  tokens  on  the  right,  the  result  of  this  collection  is 

k®pV  =  k  +  p 

with  ‘+’  being  the  ordinary  sum  of  natural  numbers. 

The  transition  of  the  one  place,  one  transition  petri  net  is  associated  with  the  firing 
function  /  :  M  — ►  M.  There  is  an  image  firing  function  for  the  place,  p  :  M  — ►  M.  The 
dynamics,  d,  of  one  time  tick  is  the  convolution 

d  —  A(/  ®  p)  V  :  M  — ♦  Af. 

These  same  considerations  apply  to  a  petri  net  with  any  (usually  finite)  number  of  places 
and  transitions.  The  wiring  diagram  between  places  and  transitions  require  some  technical 
care,  but  causes  no  conceptual  difficulties.  Similarly,  the  structure  easily  extends  to  colored 
tokens  and  other  such  variations  on  the  theme. 

A  category  of  petri  net  dynamics  has  as  objects  the  petri  nets  and  as  morphisms  non¬ 
deterministic  functions  which  preserve  the  behaviors.  Consider  the  tensor  product  of  two 
petri  nets,  this  being  determined  by  the  tensor  product  of  behavioral  convolutions.  The 
full  subcategory  of  petri  nets  without  sources  has  finite  categorical  products,  these  being 


the  tensor  product.  The  full  subcategory  of  petri  nets  without  sinks  has  finite  categorical 
coproducts,  these  being  the  tensor  product.  Thus  the  full  subcategory  of  petri  nets  without 
sources  or  sinks  has  finite  biproducts.  This  is  then  the  situation  of  [CW87]. 

Since  the  convolutional  dynamics  d  is  an  endomorphsim,  standard  methods  apply  to 
understanding  the  iterate  over  time  ticks. 
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Display  of  graphics  and  their  applications,  as  exemplified  by 
2-categories  and  the  Hegelian  "taco" 


F. 


William  Lawvere 


1) 


A  graphic  monoid  M  satisfies  identically  xyx  ■  xy  and  an 
application  of  M  is  a  right  •  M-set.  Every  left  ideal  of  such 
an  M  is  also  a  right  ideal,  simplifying  and  structuring  the 
study  of  the  topos  of  applications. -  An  informal  process  of 
displaying  pictures  of  graphics  and  applications  is  exemplified, 
with  conjectured  use  in  the  organization  of  knowledge.  The  Hege¬ 
lian  organization  of  knowledge  is  concretely  realized  in  terms 
of  adjoint  functors  on  "any”  mathematical  category,  and  is  used 
to  give  a  precise  definition  of  the  dimension  needed  for  a  dis¬ 
play.  A  central  fragment  of  the  Hegelian  scheme  is  revealed  as 
an  8-element  graphic,  whose  suggestive  display  has  reminded  some 
of  a  taco. 

I.  INTRODUCTION 


By  a  graphic  we  will  mean  any  finite  category  each  of  whose 
endomorphism  monoids  satisfies  the  identity  xyx  =  xy  ;  in  parti¬ 
cular,  a  graphic  monoid  is  a  graphic  category  with  one  object. 

By  an  application  of  a  graphic  category  we  will  mean  any  right 
action  of  it  on  finite  sets  (i.e.  any  contravariant  finite-set- 
valued  functor  on  it) .  If  I  is  any  object  of  a  graphic  G  , 
then  G(-,I)  is  a  particular  application  (often  called  the  right 
regular  representation  in  the  case  of  a  monoid)  and  together 
these  give  a  full  embedding  of  G  into  the  topos  of  all  appli- 
cations  of  G  ,  to  which  we  freely  apply  the  Cayley-Dedekind- 
Grothendieck-Yoneda  lemma.  If  X  is  any  application  of  the 
graphic  G  ,  then  the  "comma"  category  G/X  (whose  objects  are 
the  elements  of  X  and  whose  morphisms  determine  the  action  via 
the  discrete  fibration  property  of  the  labelling  functor 
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G/X  - »  G  )  is  again  a  graphic.  Thus  each  particular  appli¬ 
cation  X  of  G  provides  one  way  G'  - *  G  of  expanding  the 

graphic  G  into  a  more  detailed  graphic  G’  .  Even  though 
graphic  monoids  G  play  a  central  role,  we  must  also  deal  with 
graphics  such  as  G/X  with  many  objects.  Similarly,  the 
category  G  of  all  retracts  of  objects  of  G  (which  may  be 
constructed  either  abstractly  to  have  as  objects  the  idempotents 
of  G  or  concretely  as  a  full  subcategory  of  the  category  of 
applications  of  G  ;  note  that  in  the  former  guise  it  is 
"a  itself”  which  plays  the  role  of  1&)  will  again  have  many 
objects  -  indeed  the  graphic  identity  xyx  =  xy  implies  x  =  x  so 
that  if  G  is  a  monoid  then  G  has  an  object  for  every  element 
of  G  (.some  of  those  objects  may  be  isomorphic  in  G  )  .  The 
interest  of  G  ^  G  is  that  it  induces  an  equivalence  between 
the  associated  toposes  of  applications.  We  intend  to  associate 
with  each  graphic  (by  a  compelling  though  not  yet  well-defined 
process),  a  "display”  which  will  reveal  much  of  its  structure. 

We  do  associate  a  well-defined  distributive  lattice  which  is  it¬ 
self  a  standard  application  and  which  may  be  considered  to  con¬ 
sist  of  refined  "dimensions”  in  that  it  parameterizes  all  the 
ranks  in  a  Hegelian  analysis  of  the  topos  of  all  applications ; 
through  this  distributive  lattice  there  is  a  well-defined  ascen¬ 
ding  sequence,  obtained  by  the  Hegelian  process  of  "resolution  of 
one  unity  of  opposites  by  the  next";  the  length  of  this  sequence 
is  the  geometrical  dimension  of  the  display  in  our  numerous 
examples. 

What  is  especially  striking  is  that  the  Hegelian  analysis  of 
any  topos  turns  out  to  involve  graphic  monoids  which  are  in  fact 
bicategories.  Thus,  the  organization  of  any  branch  of  knowledge, 
insofar  as  it  can  be  mathematical  (i.e.  teachable),  may  in  some 
measure  reflect  itself  in  graphic  displays.  Though  proposed  [oj 
nearly  200  years  ago,  the  Hegelian  method  of  analysis  has  been 


52. 


widely  under-utilized  since  then;  "conflicting"  ideological  claims 
either  that  it  is  inconsistent  or  that  it  is  too  wonderfully  fluid 
to  be  made  mathematical  have  conspired  to  prevent  its  being  widely 
taught.  We  believe  that  we  have  through  modest  examples  shown  it 
to  be  consistent  (.and  non-trivial)  and  that  much  of  the  method 
should  be  made  mathematical,  which  would  help  those  who  seriously 
want  to  use  it,  even  that  part  which  remains  fluid. 

By  a  constant  c  in  a  graphic  monoid  is  meant  an  element 
such  that  cx  =  c  for  all  x  .  The  three  element  monoid  with  two 
constants  2 L,  (so  7.  3.  =  0.)  has  as  its  applications  all  the 

reflexive  directed  graphs ;  that  example  plays  a  central  role  in 
[l,2j  and  suggested  the  name.  Toposes  of  applications  of  such 
"constant"  graphics  with  more  than  two  constants  were  investigated 
in  £2]  ,  partly  as  a  vehicle  for  explaining  some  basic  topos 
theory  and  partly  to  determine  how  they  were  different  from  the 
two-constant  cases  in  which  x^,x3^  denote  the  beginning  and 
ending  points  of  an  arbitrary  directed  edge  x.  In  the  course  of 
that  work,  the  identity  xyx  =  xy  was  discovered  as  the  least  common 
generalization  of  constant  (x  =  c)  and  identity  (x  *  1)  ;  later  I 
learned  that  it  had  been  briefly  mentioned  as  a  purely  formal 
generalization  in  [3]  ,  where  the  finiteness  was  noted,  and  that 
in  ^4j  a  partial  structure  theorem  for  such  monoids  was  proved  as 
well  as  a  structure  theorem  for  certain  more  general  monoids  using 
these  as  one  of  the  ingredients .  (£s  for  finiteness ,  it  is  imme¬ 

diate  that  the  free  graphic  monoid  on  a  finite  set  of  letters 
consists  of  all  words  without  repetitions,  of  which  there  are  only 
nl  >7  i, )  .  So  far  I  have  not  found  anv  previous  discussion  of 

I*b  1# 

applications  (in  either  sense) . 

In  this  paragraph  (and  the  next),  we  make  some  imprecise 
remarks  about  possible  uses .  Retrieving  stored  knowledge  presuppo¬ 
ses  some  consciousness  of  the  structure  it  has;  this  structure 
is  in  its  particularity  fixed  by  the  storage  process  itself  (and 
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in  its  generality  is  partly  a  reflection  of  the  content,  i.e. 
of  the  nature  of  the  knowledge  stored! .  Thus  in  both  retrieval 
and  storage  one  needs  to  be  explicitly  aware  of  the  kind  of 
structure  involved.  Here  we  are  momentarily  accenting  the 
"passive"  aspect  of  the  structure,  the  kind  of  structure  that 
both  codomain  and  domain  of  more  "active"  operations  such  as  re¬ 
write  must  have  C"peeking"  may  be  definable)  .  Now  it  is  commonly 
recognized  that  commutative  operations  such  as  Boolean  inter¬ 
section  are  involved,  but  also  "something  further".  We  here 
speculate  that  non-commuting  systems  of  idempotent  operations 
may  capture  some  of  the  further  subtlety.  The  arrangement  of 
shelves  in  any  science  library  shows  that  topological  algebra  ? 
algebraic  topology  and  chemical  physics  ^  physical  chemistry, 
although  these  are  in  some  sense  "intersections".  A  feature  which 
seems  to  be  present  is  that  a  sub-branch  b  is'  not-  only  a  subset 
but  reflects  things  x  (.not  necessarily  in  b)  to  a  part  bx  of 
b  which  is  most  relevant  to  x  (bx  is  a  single  element  in  the 
generic  case  of  G(-,I)  but  the  idea  retains  force  in  general 
applications) . 

As  another  example,  we  could  assign  to  every  page  of  every 
book  the  title  page  of  the  book  that  it  is  in;  clearly  this 
operation  specifies  the  set  of  all  title  pages,  but  much  more. 

Such  idempotent  operations  need  not  commute  but  on  the  other  hand 
would  have  a  rather  strong  commutation  relation  reflecting  the 
hierarchical  structure  of  empty  documents  within  folders  within 
disks....  We  have  pursued  the  investigations  summarized  here  in 
the  hope  that  the  "graphical"  identity  may  capture  many  instances 
of  this  commutation  relation.  This  hope  was  strengthened  by  the 
recent  discovery  that  that  identity  arises  in  the  Hegelian  scheme 
of  knowledge.  It  is  said  that  the  German  philosopher  Hegel, 
building  on  the  work  of  Aristotle  and  in  opposition  to  the  eclectic 
listing  of  categories  of  sciences  by  his  "metaphysical"  predecessor 
Wolfe,  proposed  to  generate  the  main  categories  by  a  single  dia¬ 
lectical  process.  The  great  mathematician  Grassmann,  partly 
inspired  by  Leiniz,  also  emphasized  the  dialectical  method  in 


building  up  his  geometrical  theory  of  extensive  quantities.  What 
striking  contrast  between  these,  who  advanced  both  knowledge  and 
its  organization,  and  those  to  whom  x£x  is  a  big  issue  and 
who  lead  us  astray  with  library-catalogue  paradoxes,  when  more 
conscious  access  to  libraries  is  what  is  neededl  ^ 


II.  Elementary  Consequences  of  the  Basic  Identity,  with  special 
reference  to  ideals 


We  begin  our  calculations  by  pointing  out  some  remarkable 
consequences  of  the  graphic  identity 


aba  =  ab. 


For  any  right  action  X  of  any  monoid  M  ,  there  is  for  any 
element  x  the  stabilizer 

Stab(x)  =  £a£M  J  xa  =  xj 

PROPOSITION  1  If  M  is  a  graphic  monoid,  then  the  stabilizer 
of  any  element  x  of  any  application  X  is  a  saturated  submonoid: 
ab  £  Stab  (x)  =^a,b  EstabCx)  . 

Proof:  xab  =  x p  xa  =  xaba  =  xab  =  x  and  xb  =  xa bb  =  xab  =  x. 

For  any  action  the  part  fixed  by  all  M  is  a  (.trivial) 
subaction,  but  the  part  fixed  by  a  single  a£M,  which  for  idempotent 
a  satisfies 

Xa  =  £x  £  X  J  xa  =  a J  , 

is  usually  only  a  subset  (it  is  a  functor  of  X  ). 

PROPOSITION  2  If  M  is  graphic  and  a  £  M  and  if  X  is  any 
application  of  M  ,  then  Xa  is  actually  a  sub-application,  i.e. 
x  £  Xa  r=r>xb  £  Xa  for  all  b  £.  M. 

Proof:  xa  =  x  Z^(xb)  a  =  xaba  =  xab  =  xb  ~~N  xb  £  Xa 


consequences  of  the  graphic  identity 


One  of  the  most  powerful 
is  that 


every  left  ideal  is  a  right  ideal 

which  follows  from  the  next  proposition,  using  the  fact  that  every 
ideal  of  either  kind  is  a  union  of  principal  ideals. 

PROPOSITION  3  For  any  element  of  any  graphic  monoid  M 

aM  £  Ma 


Proof:  For  every  x  there  is  an  element  xa  for  which 

a 

ax  =  x  a, 

namely,  we  can  take  xa  =  ax. 


Since  every  element  of  a  graphic  monoid  is  idemootent,  it 
follows  trivially  that 


every  left  ideal  s  is  idempo tent  [ 

in  the  sense  that  SS  =  s  .  For  a  general  monoid,  this  would  be 
equivalent  to  "for  every  a,  there  are  u,v  for  which  a  =  uava". 
This  would  include  all  groups,  and  also  the  monoid  of  all  endomaps 
of  a  2-element  set,  which  figures  in  [2]  .  Perhaps  much  of  what 
follows  could  be  generalized  to  all  monoids  satisfying  the  two 
boxed  axioms  above,  but  if  we  assume  idempotence  of  elements,  it 
can  be  shown  that  aM  ^  Ma  implies  the  graphic  identity. 

Often  Ma  is  much  bigger  than  aM  ,  but  as  a  right  ideal  it 
is  a  finite  union  Ub.M  of  principal  right  ideals.  The  smallest 

number  #(a)  of  b±  required  could  be  considered  as  a  crude 
measure  of  the  size  of 


a 


PROPOSITION  4  Ma  =  U  b^M  iff 

1)  *  b^a  for  all  i 

2)  for  all  x,xa  =  b^x  for  some  i  , 

In  particular,  one  of  the  b^  must  be  a  itself. 

Proof:  xa  -  b^y  for  some  y  so  xa  -  b^xa  by  idempotence.  Thus 
xa  *  b^axa  by  1)  so  xa  =  biax  =  bix.  Taking  x  =  1  proves  the 
last  remark. 

Normally  a  principal  ideal  can 'have  more  than  one  generator, 
but  in  a  graphic  the  elements  are  faithfully  represented  by  right 
ideals : 

PROPOSITION-  '  5  In  a  graphic  monoid,  aM  =  bM=^a  =  b  . 

Proof:  We  have  a=bx  and  b  =  ay  ,  hence  by  idempotence  a  =  ba 
and  b  =  ab  .  But  a  =  ba  —  bab  =  bb  =  b , 

For  principal  left  ideals  we  do  not  have  faithfulness  but  we 
do  have,  since  Ma  =  Mb  iff  a  =  ab  : 

PROPOSITION  6  In  a  graphic  monoid,  Ma  =  Mb  iff  a  *  ab  and 

b  =  ba  iff  Stab  (a)  =  Stab(b)  iff  a,b  are  the  images  of 

under  a  homomorphism  from  the  three  element  monoid  with.  2  constants 

Note  that  aM/-\bM  ,  while  a  right  ideal,  is  not  usually  a 
principal  right  ideal  and  is  often  even  empty .  But  for  principal 
left  ideal  this  situation  is  simpler: 

PROPOSITION  7  Mab  =  Ma  r\  Mb 

Ml  =  M 

for  any  graphic  monoid.  Hence  Mab  =  Mba. 

Proof:  Mab  —  Mb  is  clear.  By  the  graphic  identity,  we  also 

have  Mab  -  Ma  .  If  an  element  x  is  in  both  Ma  and  Mb  , 

then  x  =  xa  and  x  =  xb  by  idempotence,  so  x  =  xb  =  xab£Mab. 

As  Kimura  M  proved  and  used,  the  image  CM  of  the  homo¬ 
morphism  M  — >  (left  ideals,  )  thus  defined  is  actually  the 
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universal  homomorphism  to  any  commutative  graphic  monoid 
(=semilattice)  .  Schanuel  (.unpublished)  showed,  as  suggested  by 
Propositions  1  and  6,  that  this  semi-lattice  reflection  CM  can 
alternatively  be  constructed  as  part  of  the  set  of  all  saturated 
submonoids  under  the  join  operation  on  such  (note  that  Ma  —  Mb 
iff  Stab  (.a)  ^  Stab(b)  ). 

Now  we  recall  that  in  the  topos  of  all  applications  of  M  , 
the  truth-value  application  is  the  one  consisting  of  all  right 
ideals  of  M  ,  under  the  action  of  each  b  £  M  defined  at  A  by 

A:b  =  {x  £M  |  bx£A] 

which  is  easily  seen  to  be  another  right  ideal  if  A  was.  The 
universal  use  of  -O.  is:  if  YCX  is  any  sub-application,  then 
X  ■  %  >  £l  defined  by 

fx  m  £a  £M  |  xa  £y] 

is  an  M-equi variant  morphism  of  applications,  and  the  unique  one 
for  which. 


x  £  Y  <==/>  (px  =  true 

(where  true  =  M£,^l  )  holds  for  all  x  in  X  .  In  general  px 
is  thought  of  as  the  truth-value  of  the  statement  "x  £  Y"  ,  which 
value  just  consists  of  all  available  acts  which  bring  about  actual 
truth.  For  example,  in  the  case  where  applications  =  directed 
graphs,  there  are  five  truth.-values ,  two  of  which  are  points,  one 
is  a  loop  at  true,  and  the  other  two  are  edges  connecting  tin  the 
two  directions)  true  with  false  =  0  . 

In  the  case  of  a  graphic  monoid  we  have  shown  (Proposition  3) 
that  every  left  ideal  is  a  right  ideal.  Even  more  remarkably,  if 
we  consider  the  sublattice  -*\eftc  O.  (.of  the  distributive 
lattice  of  all  right  ideals),  which  consists  of  the  left  ideals,  we 
have 


£8 


PROPOSITION'  8  For  a  graphic  monoid  M,  a  sub-appli¬ 

cation  . 

Proof:  If  S  is  a  left  ideal  and  a£M  ,  then  S:a  =  |  ab  £  sj  . 

We  must  show  that  this  is  again  a  left  ideal.  So  suppose  ab  £ S 
and  that  c  £M  ;  we  must  show  cb£,S:a  ,  that  is  that  acb  £  S 
But  acb  =  (aca)b  =  acab  ^  Mab  S  since  s  itself  was  a  left 
ideal. 

Even  though  the  inclusion  of  posets  Xl^c  12  has  both  a  left 
adjoint  (.A  j — ^  MA)  and  a  right  adjoint,  neither  of  the  latter 
is  a  morphism  of  applications.  For  example,  for  directed  graphs 
(where  ^true  in  the  ordering,  which  we  suppress)  the  inclusion 
in  question  is 


which  admits  no  graph-theoretic  retraction  (order-preserving  or 
not)  .  Note  that  aM  £  bM  =^Ma  £  Mb  . 

Although  applications  in  general  do  not  have  left  actions, 
we  can  ask:  For  which  inclusions  YCX  of  applications  does  the 
corresponding  characteristic  map  f:X  actually  factor 

through  the  sublattice  XI  of  left  ideals?  In  the  example  of 

directed  graphs ,  the  above  picture  shows  the  answer  to  be :  those 
subgraphs  Y  of  the  graph  X  for  which  no  directed  edge  of  X 
enters  Y  or  leaves  Y  except  on  excursion,  i.e. 
xPQ  £Y  £=>  x^t  Y  for  all  x  . 

Now  in  the  generic  application  X  =  M  ,  the  left  multipli¬ 
cation  by  a  may  be  considered  as  the  reflection  of  an  arbitrary 
x  to  (the  "most  relevant  element  of"?)  the  fixed  point  set  Xa 
In  a  particular  application  X  ,  left  multiplication  by  a  is 
usually  not  defined.  However,  by  proposition  2,  XaCX  is  a 


* 

Q 

false 

true 

sub- application,  and  hence  by  the  universal  property  of  there 
is  a  unique  characteristic  map  sX  — >  £1  t  and  we  have 

-  3L 

aM  «  for  all  x  ,  for  even  Ma  -  c^x.  We  may  ask,  when  is 

Qj  ?  By  definition 

PROPOSITION  9  iff 

\/b ,  /\  £  M  jxba  =  xb  — ^  ba  =  x A  b] 

PROPOSITION  10  If  X  =  M  and  if  M  consists  only  of  constants 
and  1,  then  ^x  £ -0-£  for  all  x,  a£M. 

Throughout  this  paper  we  consider  only  the  category  of  right 
actions  or  "applications"  (.categories  of  left  actions  are  treated 
very  briefly  in  the  examples  in  [ 2 J  and  have  rather  different 
properties). .  Thus  it  must  constantly  be  kept  in  mind  that  whenever 
we  attribute  a  property  such  as  "connectedness"  to  a  left  ideal  S 
we  are  using  our  proposition  3  to  consider  S  as  an  object  in  the 
category  of  (right),  applications-connectedness  of  S  as  a  left 
action  would  mean  something  quite  different!  Similarly,  when  the 
set  -Tig  of  left  ideals  is  considered  as  an  object  in  a  category, 
it  will  be  (.either  as  a  lattice  or)  according  to  proposition  8 
as  an  application. 


III.  Elementary  Examples  and  their  Intuitive  Displays 


In  preparation  for  listing  some  examples  of  graphics,  let  us 
make  explicit  some  facts  about  the  role  of  constants, 

PROPOSITION  11  Every  graphic  monoid  contains  constants. 

Proof:  Since  we  have  assumed  finiteness,  let  c  be  the  product, 
in  some  chosen  order,  of  all  the  elements  of  the  monoid.  Then 
cx  =  c  for  any  x  ,  since  x  already  occurs  first  as  a  factor 
of  c  ,  and  the  basic  identity  cancels  second  occurrences. 


For  example,  the  free  graphic  monoid  on  n  generators  has  n! 
constants,  since  all  words  of  maximal  length  are  distinct.  Oil  the 
other  hand,  all  those  can  be  collapsed  to  one  without  imposing  any 
further  relations  between  words  of  shorter  length.  Thus  (not  only 
commutative)  examples  may  have  a  unique  constant. 

PROPOSITION  12  If  c  is  a  constant,  then  so  is  ac  for  any  a. 
Thus  Ma  includes  all  constants,  hence  any  non-empty  left  ideal 
contains  all  constants.  Also  if  there  is  a  unique  constant  o  , 
we  have  ao  =  o  for  all  a 

The  left  action  of  M  on  the  set  T  of  all  constants  of 

o 

M  may  thus  fail  to  be  faithful.  However,  we  can  always  adjoin 
new  constants,  for  example  via  the  sub-representation  MuX  of 
the  faithful  left  regular  representation  of  M  on  X  =  M  .  If 
we  do  that  to  the  four-element  free  semilattice  on  two  generators 
x,y  ,  we  get  a  six-element  graphic  whose  display  will  turn  out 
to  be  the  two-dimensional  picture 


Of  course  any  free  graphic  monoid  does  act  faithfully  Con  the 
left)  on  its  constants .  For  example  the  five-element  free  graphic 
monoid  on  two  generators  a,b  has  the  two  constants  ab  and  ba, 
on  which  the  generators  act  by  interchanging  them;  however,  its 
display  will  turn  out  to  be  the  one-dimensional: 


1 

— • . -  - 

ab  ba 


The  graphic  monoid  ^  with  only  three  elements,  two  of 
which  are  constant,  is  displayed  ... 


and  all  its  applications  are  "one-dimensional",  being  directed 
graohs.  It  is  of  wide  use  in  analyzing  more  complicated  graphics, 
for  example,  consider  the  graphic  monoid  M  which  is  freely 
generated  by  two  elements^  ,  subject  to  the  one  relation 
31c(=  2^  and  define  =</c^  .  Then 


3o3i  =  <<3^  =  30 

2-  d  =0,  o<  =3 

loll  1  1 


so  that  any  M-application  has  in  particular  an  underlying  directed 
graph,  but  is  more  in  that  c<  also  acts  on  the  directed  edges.  In 
addition  to  the  defining  relation,  we  have  dQc<  =  0(9^  =  30 

so  that  both  remain  constants  even  in  M  .  The  definition  of 

2  says  that  any  x.d\  ends  at  the  beginning  of  x  ,  but  moreover 

^  =  0^9^.  ~  30  so  that  is  a  lo°P  at  x5b  *  Thus  every 

edge  x  in  an  application  carries  with,  it  a  picture 


*0" — * 


if  x  is  interpreted  as  a  process,  we  might  consider  xc^  as  the 
"preparation"  necessary  for'  x  .  In  order  to  represent  M  faith¬ 
fully  by  endomaps ,  consider  one  more  constant  *  together  with 
3  31  and  define  an  operation  on  this  three-element  set  by 
o<(D  )  =o((c).)  =2)  ,<?<(*)  =  *  •  The  left-ideal  latticeH^has 

four  elements 

0  C  M3q  =  Mo<  C  M 


but  M$(  = 


<? 


is  not  '’connected" ,  which  will  mean  that 


even  as  a  graphic  in  its  own  right,  M  must  be  displayed  as 
one-dimensional.  This  contrasts  with 


x  ^  =  yc 


Xiyj  =  *jxi 


a  two-dimensional,  nine  element  graphical  monoid,  which  like 
the  above  M  also  receives  a  homomorphism  ^  x  , 

say  the  diagonal.  Along  the  latter,  we  also  get  an  underlying 
graph,  whose  display  is 

# - - - 


In  general,  if  every  homomorphism  A  — >  M  is  assigned  a  color, 
then  all  the  underlying  graph  structures  of  M  could  be  simul¬ 
taneously  displayed. 

For  another  important  example,  recall  that  graphs  underlie 
the  theory  of  categories ,  but  that  there  are  also  2-categories ; 
underlying  the  latter  are  2-graphs ,  the  generic  example  of  which 
is 


This  can  be  made  into  a  five  element  (four  generator),  graphical 

monoid  by  defining  &j  =  '  DiDj  =  Di  •  Di  =  '  ^iDj 

Every  2-category  (for  example  the  2-category  of  all  graphics,  all 

functors  between  these,  and  all  natural  transformations  between 

those)  has  an  underlying  application  of  this  monoid,  in  which 
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the  are  the  domain  and  codomain  "functors "  of  any  "natural 

transformation "  5>  =  5>*1  and  FD^  are  the  domain  and  codomain 

"categories"  of  any  "functor"  F  .  The  lattice  turns  out  to 
be  a  linearly-ordered  set  isomorphic  to  £*oo^0  ^1  ^2^  where  0 
stands  for  the  constant  but  1  stands  for  the  left  ideal 

»  r - which  is  already  connected  as  a  right  ideal,  hence  (by 

the  general  theory  to  be  described  presently)  the  graphic  itself 
has  a  two-dimensional  display. 


If  to  a  nontrivial  graphic  monoid  we  adjoin  a  new  identity 
element,  so  that  the  original  monoid  becomes  a  connected  left 
ideal  in  the  new  monoid,  we  get  again  a  graphic  monoid  of 
dimension  at  least  two.  If  we  do  this  to  ,  and  denote  the 

original  identity  element  by  w  ,  we  see 


a* 


/ 


■^♦b 


that  w  is  more  of  a  "core"  than  a  "boundary",  and  moreover  that, 
since  this  is  a  homomorphic  image  of 

'  '  w  ' ' 

- - - - •  r 

a  wa  b 

dimension  can  be  increased  by  homomorphic  image.  Since  w9^  =£L, 
in  the  underlying-graph  display  of  M  the  cloud  1  condenses  into 
another  arrow  parallel  to  w 

In  order  to  describe  a  certain  class  of  examples,  two  more 
propositions  will  be  helpful. 


PROPOSITION  13  The  lattice  .fig  of  left  (=bi)  ideals  in  a  graphic 
monoid  M  is  linearly  ordered  iff  for  every  pair  a,b  of  elements 
in  M 

a  =  ab  or  b  =  ba 

Proof:  This  is  the  condition  that  Ma  -  Mb  or  Mb  ^  Ma,  i.e. 

that  the  (semilattice)  commutative  reflection  CM  be  linearly 
ordered.  But  the  left  ideals  of  CM  are  included  surjectively 
into  the  left  ideals  of  M  ,  and  the  left  ideals  of  a  linear  serai- 
lattice  are  clearly  linearly  ordered. 


PROPOSITION  14  (Schanuel)  Suppose  that  the  endomorphism 
monoid  of  an  object  A  in  a  category  (such  as  M)  satisfies  the 
graphic  identity,  and  that  B  is  any  other  object.  Then  there 
is  at  most  one  splittable  epimorphism  A  ■  ^->  B  .  In  case  A,B 
are  retracts  of  a  common  graphical  object  I  with  idempotents 
a,b  then  p  exists  iff  Mb  **  Ma  ,  where  M  is  the  endomorphism 
monoid  of  I 

Proof:  Suppose  p  has  splitting  section  s  ,  but  that  also  q 
has  splitting  section  i  ;  that  is  ps  =  lg  =  qi  .  Then  of 
course  sp  and  iq  are  idempotents  at  A  ,  but  since  A  is 
graphic  also  ip  and  sq  are  idempotents.  Better 

sq  =  s  (pi)q  =  Csp)  Ciq)  Csp)  =  sCpiqs)p  =  sp 

so  that  q  =  p  because  s  is  a  monomorphism.  It  is  easily 
checked  that  at  least  one  p  exists  iff  b  =  ba  ,  in  the  M  case. 

Thus  in  any  graphic  the  subcategory  of  all  splittable  epi- 
morphisms  forms  a  poset.  If  •_ 

*  *  Bn  —p+  Bn-1  — >  Bn-2  —*  •••  — ^  3C  — *  B-» 

is  any  linear  family  of  splittable  epimorphisms  in-  any  category, 
and  if  we  consider  for  each  k  any  non-empty  finite  set  of 
sections  B,  .  — ■ — >  B.  for  p,  ,  then  the  submonoid  of  endomor- 

JC-*  X  S  iC  JC 

phisms  .  of  A  obtained  by  considering  all  composites  will  be 
a  graphical  monoid.  Special  interest  will  attach  in  part  IV. 
to  the  case  where  we  consider  two  sections  for  each  p^. 

Note  that  the  unique  retraction  I  — ^  aM  "represents"  on 
the  level  of  elements  all  the  unique  inclusions  Xa  ^ — ?  X  in 
the  topos  of  applications  of  M 

The  (one-dimensional)  graphic  monoid  with  four  constants 
and  five  elements  (which  was  described  as  a  "bare  unity"  in  [2]) 
can  be  embedded  in  the  two-dimensional  ^  ^  7  the  one  dimen¬ 

sional  connection  might  be  displayed  as 


Another  interesting  embedding  is 


PROPOSITION  15  The  free  graphic  monoid  F  on  two  generators 
a,b  can  be  embedded  in  ^  x  . 

Proof:  Note  that  M  =  has  a  pair  of  elements  f,s  such 

that  s  fs  =  sf  f  .  For  any  such  M  ,  F  can  be  embedded 
in  M  x  ^  by  sending  a  =  \f,clo>,  b  =  ^3,5^  . 


IV.  Unity  and  Identity  of  Opposites  in  Bicategories  and  precise 
Definition  of  the  refined  and  coarse  Dimensions  of  Displays 


In  order  to  clarify  the  notion  of  dimension  which,  arose  in 
our  intuitive  displays  of  graphics ,  as  well  as  to  provide  an 
infinite  number  of  examples  of  graphics  arising  from  non-idempotent 
mathematical  structures,  consider  the  following 

DEFINITION  A  functor  Cl — &  will  be  called  a  unity-and- 
identity-of -opposites  (UIO).  iff  it  has  both,  left  and  right  adjoints 
and  one  of  the  latter  is  full  and  faithful  (.hence  both  are).  Then, 
denoting  by  L  and  R  the  two  idempotent  endofunctors  of  CZ 
obtained  by  composition,  we  have  also  L-Hr  and  LR  =  L,  RL  =  R. 

The  two  adjoints  are  the  inclusions  of  two  opposite  sub¬ 
categories  united  in  CL ,  yet  identical  with  ^3  •  The  terminal 
functor  CL — *  iL  is  a  UIO  iff  CL  has  both  initial  and  terminal 
objects;  the  latter  may  be  called  non-being  and  pure  being  resp. , 
and  in  general  L  .is  "non"  whatever  attribute  (of  CL).  R  is  the 
"pure”  form  of.  If  CL  is  a  topos  then  /3  will  automatically  be 
a  topos  as  well;  this  applies  to  our  fundamental  class  of  examples, 


where  CL  is  the  category  of  all . applications  of  a  given  graphic. 
In  case  CL  is  a  topos,  R  is  called  the  /S-sheafification,  and 
"non"  sheaves  may  be  called  ^-skeletal.  The  set  of  all  UIO's 
with  a  given  CL  forms  a  poset  with  respect  to  the  "greater  than" 
ordering  CL 


This  poset  is  often  small  even  when  CL  is  large  and  is  often  a 
complete  lattice,  as  is  shown  in  a  forthcoming  joint  paper  with 
Kelly  .  For  example 


PROPOSITION  16  if  CL  is  a  category  of  all  right  actions  (on  sets) 
of  a  small  category  C  ,  then  the  poset  of  UIO's  with  domain 
is  equivalent  to  the  poset  of  all  idempotent  two-sided  ideals  in 
the  category  C  ,  with  the  empty  ideal  corresponding  to  CZ — >  1L 


Corollary :  For  the  category  CL  of  all  applications  of  a  given 
graphic  monoid  M  the  poset  of  all  UIO's  is  parameterized  by 
the  poset  of  all  left  ideals  of  M  .  In  more  detail,  if  S  is 
a  left  ideal  of  M  ,  then  an  application  X  is  an  S-sheaf  iff 
every  morphism  S  — >  X  in  CL  is  of  the  form  s  J— x*s  for  a 
unique  element  x  of  X  ,  and  on  the  other  hand  the  S-skeleton 
L_  (X)  C  X  of  any  application  X  is  given  by 

O 


v 


■  y 


Xs 


i.e.  all  those  elements  of  X  that  are  fixed  by  some  s£S 
Moreover,  (since  idempotence  is  automatic  and  quite  unlike  the 
general  case)  (not  only  the  suprema  but  also)  the  infima  in  this 
finite  (distributive!)  lattice  are  computed  as  ordinary  (unions 
and)  intersections. 

We  will  attribute  refined  dimension's  to  all  applications 
X  which  satisfy  the  "negative  determination"  LgX 


X 


In  particular,  0  will  also  be  called  of  dimension-co  and  Tq  * 
the  set  of  all  constants  of  M  determines  the  subtopos  ^3Q  of 
all  "codiscrete"  applications  so  that  o-dimensional  means 
"discrete":  We  will  assume  that  M  has  at  least  two  constants, 
which  implies  that  £X  is  connected  (T^l  =  1)  and  that  the 
"components"  functor  d  — < *->  13Q  (extra  left  adjoint  to  the 
discrete  inclusion)  preserves  finite  products  [ l,2j  .  To  define 
coarse  dimensions  1,2,...  we  will  use  the  following 

DEFINITION:  If  S  ^  T  are  left  ideals,  say  that  T  resolves 

the  opposites  of  S  ,  in  symbols 

S  <<T 

a 

iff  every  S-skeletal  application  is  a  T-sheaf,  i.e.  iff  =  ^2 

Because  of  the  nice  properties  of  intersection  mentioned  in  the 
corollary  to  Proposition  16,  there  is  for  every  S  a  smallest 
S'  which,  resolves  the  opposites  of  S  ;  we  may  call  S'  the 
"Aufhebung"  of  S  .  Then  the  Aufhebung  of  pure  being  versus 
non-being  is  pure  becoming  versus  non-becoming,  i.e.  codiscrete 
(.chaotic)  versus  discrete,  since  if  0  is  to  be  a  T-sheaf, 
then  there  can  be  no  maps  T  — >  0  ,  i.e.  T  must  be  non-empty, 
but  by  Proposition  12,  TQ  C=  the  set  of  all  constants  of  M  ) 
is  the  smallest  non-empty  left  ideal;  thus  (-00)  *  =  0  as 
claimed.  Since,  intuitively,  one-dimensional  figures  are  the 
dimensionally-smallest  ones  which  permit  connecting  all  those 
points  that  can  be  connected,  still  inore  satisfying  is 

PROPOSITION  17  0!  =1-  That  is,  TT0LT  =  iff  RTL0=Lo*  ThuS 

T^  is  characterized  as  the  smallest  left  ideal  of  M  which  is 
connected  as  a  (right)  application  of  M 

Proof:  Composite  adjoints  are  adjoint  composites.  Or,  if  discrete 

applications  D  are  to  be  T-sheaves ,  then  every  T  — >  D  must 
come  from  an  element  of  D  ;  but  elements  of  D  are  constant 
(non— becoming) ,  hence  every  T  — ^  D  must  be  constant  (e.g.  for 
D  =  2) ,  hence  T  must  be  connected. 


Corollary :  If  Mn£lJ  is  not  connected,  then  M  is  one-dimensional, 
whereas  if  is  connected  and  is  the  "Aufhebung?  of  some  s 

which  is  in  turn  an  Aufhebung. . . ,  then  M  is  at  least  two- 
dimensional. 

Here  the  dimension  of  M  itself  is  defined  in  terms  of  the 
length  of  the  sequence  Tn+1=  T^;  experience  M  with  other  examples 
suggests  that  this  length  is_  the  dimension  for  small  dimensions 
and  a  simple  function  of  it  for  higher  dimensions. 

PROPOSITION  18  If  M  is  the  free  graphic  monoid  on  k  -  2 
generators,  then  dim  M  =  1. 

Proof:  Since  "first  letter  of  a  word"  is  well-defined, 

k 

M'fi5  *  ^  *.M 


is  a  disjoint  sum  in  the  category  of  applications,  hence  not 
connected. 


While  principal  right  ideals  are  connected,  principal  left 
ideals  need  not  be,  for  example,  Ma  in  the  free  example  on  a,b  : 
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ab 
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An  even  smaller  example  of  an  "infinitesimal  dimension"  is 
provided  by 


M  = 


where 


0 


is  a  left  ideal.  But  note  that  a  left  ideal  which 
contains  a  connected  left  ideal  is  itself  connected,  for  any  t 


can  be  moved  to  a  constant  by  the  right  action  of  a  constant. 


Now  consider  any  category  Cc  with  initial  and  terminal 
objects  0,1  and  a  double  resolution  of  the  latter  by  £  , 
which  successively  climb  £2 -ward  CL — £  <0 — P  £  — ^  •  Let 
r  =  pure  C ,  C  ~  non  Q  ,  R  =  pure  Q  ,  L  =  non  $ .  The  first 
resolution  means  r0  =  0  (which  implies  dy^O^if  £L  is  a  topos) 
while  the  second,  R<f  »  £  means  that  there  are  three  (rather  than 
four)  subcategories  of  CL  "identical”  with  C  .  Assume  for  sim¬ 
plicity  that  also  Cl  -  1  .  Consider  the  category  T/j  of  all  endo- 

functors  of  definable  by  composition  from  these  and  all  natural 
transformations  definable  from  the  adjunction  morphisms.  7T7  is  a 
finite  non-symmetric  monoidal  category,  and  there  is  only  one  ob¬ 
ject  q  =  Lr  in  171  which  does  not  have  either  a  left  or  a  right 
adjoint  in  /'ll  -  it  comes  from  the  third  embedding  of  C  in  CL  • 

PROPOSITION  19  The  objects  of  7K  under  composition  constitute 
(up  to  equivalence)  a  graphic  monoid  of  (  -  )  eight  elements  which 
has  five  left  ideals 

0  C-{o,l3c[£,q,r]  C[LfR]Gjj^] 

(where  we  have  shown  only  the  elements  new  at  each  stage)  . 

The  middle  of  these  (generated  by  any  lower  case  letter)  is  already 
connected  (by  the  right  action  of  0  J ) . 

Thus  the  display  of  7^  is  apparently 

Hegelian  "taco",  a  display 
of  the  3-dimensional 
8 -element  graphic  monoid  7?l 


which  reminded  some  of  a  taco:  All  the 
while  there  are  two  identical  faces  L,R  with  a  common  edge 
separate  (but  identical)  edges  q,r. 


To  finish.  th.e  proof  that  'lit, is  really  three-dimensional, 
we  need  only  shew  that  the  Aufhebung  of  [^,q,r J  is  just  [l,rJ, 

i.e.  does  not  somehow  jump  all  the  way  to  the  top  [^3  the 
dimension  lattice  as  happens  in  other  examples.  But  S  =  £<?,q,rj 
is  actually  principal  S  =  ?lt£ ,  while  for  such  principal  ideals 
it  is  easily  seen  that  LgX  =  for  all  applications  X  of//{.; 

thus  for  X  to  be  S-skeletal  merely  means  that  all  elements  of 
X  are  fixed  by  the  right  action  of  A  .  Suppose  X  is  all 
fixed  by  /  ;  we  must  show  that  X  is  already  an  [L,Fj- sheaf-, 
so  consider  any  morphism  [l,rJ — — — >  X  of  applications,  which 
we  must  show  comes  from  a  unique  complete  element  of  X  .  The 
uniqueness  is  immediate,  since  if  x,y  are  any  two  elements  of 
X  with  the  same  [ L,Rj  part  f  ,  we  have  xt  =  yt  for  all 
t£  jL,R^  /  but  t  =  JL  is  such  and  we  have  already  assumed  X 
fixed  by  Z  :  thus  x  *  xZ  =  yZ  =  y  .  For  the  existence  of  an  x 
extending  the  partial  element  f  ,  note  that,  while  a  general 
application  X  consists  of  a  complicated  interlocking  system 
of  "tacos",  the  skeletal  condition  means  that  these  are  all  de¬ 
generated  with  x  =  xZ  =  xq  =  xr  ,  i.e.  all  three  "edges”  of  any 
element  x  coincide;  this  implies  also  xL  =  x/l  =  xZ  =  x  and 
similarly  xR  ■  x  ,  leaving  only  the  endpoint  operators  xO,  x»l 
acting  possibly  non-trivially :  to  sum  up,  such  a  skeletal  %Z~ 
application  is  in  essence  just  a  directed  graph.  Now  a  partial 
element  f  defined  only  on  the  faces  [l,rJ  =  Ml  has  in  parti¬ 
cular  all  its  values  fixed  by  A  due  .to  the  skeletal  condition, 
so 

fax.  =  fax/  =  fa  l)  =  ft£) 

f  (JR)  =  ft*)/  =  fCR  /)  =  ftf) 

the  last  being  true  because  of  the  Aufhebung  condition  rZ-  -£ 
in  the  definition  of  4ii  itself.  Thus  the  element  x  =  f C6) 
seems  the  likely  candidate  for  a  complete  (degenerately)  three- 
dimensional  element  whose  restriction  to  the  seven-element  ideal 
[l,r]  could  be  f  itself.  Thus  we  try  to  show 


7/ 


f(l)a  =  f  (a) 

for  all  seven  a£jj,,Rj  .  For  a  =  L,R  we  have  by  the  above 

f  (Z)L  =  f  (_L)L  =  f  (.L). 
f  (Z)R  =  f  (.R)R  «  f  (R)  . 

(.both  of  course  equal  to  f(£)  ).  For  the  two  constants  a  =  0,1 
we  have  f  (£)a  =  f  (£a)  =  f  (a)  since  =  o,  £l  =  1  •  For  the 
remaining  three  a  -  £,q,r  the  case  a  =  £  is  tauto logons ,  and 
for  a  —  ws  have 

f(£)  r  =  f(£r)  =  f(£) 
f  (£)q  =  f  (£)  Lr  =  f(/Lr)  =  f  (/) 

so  that  we  are  reduced  to  showing  that 

f  (r)  =  til)  =  f  (q) . 

For  this  we  need  to  use  that  f  is  defined  also  on  the  two-di¬ 
mensional  L,R  since  otherwise  these  could  be  three  different 
edges  (with  the  same  endpoints  f(.0).  ,fd)  )  of  the  directed  graph. 
But  since  f  (.R)  =  f  (Z)  , 

f(jc).  =  fCRr)  =  f  (R) r  =  f(£)r'=  f(.  £r)  =  f(£) 

and  since  f(.L)  =  fiZl, 

f  (q)=  f  (.Lr)  =  f(.L)r  =  f(£)r  =  f(/r)  =  f  ,(£) 

so  the  proof  is  done. 

Of  course  the  above  display  does  not  show  that  4f/t is  a 
monoidal  category ,  not  just  a  graphic  monoid?  if  X  £  Ct  is  any 
"morsel",  then  the  horizontal  slice  through  the  "taco"  at  X 
actually  has  canonical  morphisms  of  Ct  (indexed  by  Ht  ) ,  which 
are  roughly  the  "Moore-Postnikov"  analysis  of  X  in  case 
ZL=combinatorial  topology,  as  follows: 


7  Z 
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Part  of  the  category- 
structure  of  in  revealed  at  the 


LX 
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RX 

© 


rX 


measuring  how  closely  the  various  reflections  of  X  (into  the 
grasped  stages  Q ,  $)  succeed  in  approximating  it. 


PROPOSITION  •  20  The  "slice"  obtained  by  omitting  0,1  from  /1/VL 
is  as  a  graphic  monoid  isomorphic  to  a  six-element  submonoid  of 
the  monoid  of  all  order-preserving  endomaps  of  a  three-element 
linearly-ordered  set;  namely  omitting  001,  002,  112,  122  from 
the  latter  corresponds  to  the  former  via  0  I — ,  1  I — >  q, 

2  f — ^  r  .  (Note  that  ^,q,r  have  become  constants  through  this 
omission) . 

The  proof  is  left  to  the  interested  reader. 
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NOTES 


1)  This  research  was  not  supported  by  any  granting  agency. 

2)  I  am  not  a  "Hegelian",  since  I  reject  Hegel's  Objective 
Idealism.  But  Hegel's  partly-achieved  coal  of  developing 
Objective  Logic  (.as  a  component  of  the  laws  of  thought  at 
least  as  important  as  the  Subjective  Logic  commonly  con¬ 
sidered  to  be  "all"  of  Logic)  is  in  a  way  the  program 
which  the  whole  body  of  category  theory  has  been  carrying 
out  within  mathematics  for  the  past  50  years.  It  was 
because  of  some  discoveries  in  the  foundations  of  homotopy 
theory  that  I  began  a  few  years  ago  the  study  of 

The  Science  of  Logic,  attempting  to  extract  the  "rational 
kernel"  which,  insofar  as  it  truly  reflects  laws  of  thought, 
should  be  useful  to  us  in  investigations  like  the  one 
summarized  in  this  paper. 
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Abstract 

One  of  the  most  obvious  applications  of  algebraic  methods  to  software  technology  are  algebraic 
specifications.  In  this  paper  we  investigate  how  far  the  development  and  the  reuse  of  modular 
software  can  effectively  be  supported  by  algebraic  specifications.  We  show  that  modularity  cannot 
be  modelled  as  easily  as  one  may  expect,  and  we  introduce  a  new  semantic  framework,  the  stratified 
loose  semantics,  which  can  be  considered  as  a  generalization  of  both  initial  and  loose  semantics 
and  which  is  used  to  define  the  formal  semantics  of  the  Pluss  algebraic  specification  language. 


1  Introduction 

The  problem  considered  in  this  paper  concerns  the  algebraic  specification  of  reusable,  mod¬ 
ular  software.  Since  the  pioneer  work  of  [11],  algebraic  specifications  have  been  advocated 
as  being  one  of  the  most  promising  approach  to  enhance  software  quality  and  reliability. 
Algebraic  specifications  proved  to  be  useful  not  only  to  formally  describe  complex  software 
systems,  but  also  to  prototype  them  (e.g.  by  transforming  axioms  into  an  equivalent  set 
of  rewriting  rules),  and  to  prove  the  correctness  of  these  software  systems  (w.r.t.  their 
formal,  algebraic  specification).  More  recently,  it  has  also  been  shown  that  algebraic  spec¬ 
ifications  provide  suitable  means  to  compute  adequate  test  sets  for  the  described  software 
systems,  and  that  they  provide  also  a  formal  basis  to  promote  software  reusability  (to 
decide  whether  or  not  some  software  is  reusable  for  some  specific  purposes  being  shown 
equivalent  to  the  “comparison”  of  the  formal  specification  of  the  software  to  be  reused 
with  the  formal  specification  of  the  software  to  be  written).  An  important  aim  of  the 
research  activity  in  the  area  of  algebraic  specifications  is  to  provide  adequate  concepts, 
languages  and  tools  to  cover  the  whole  software  development  process  and  to  establish  their 

^  This  work  is  partially  supported  by  ESPRIT  Project  432  METEOR  and  C.N.R.S.  GRECO  de 
Programmation. 
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mathematical  foundations. 


In  this  paper  we  shall  focus  on  the  links  that  can  (should)  be  established  between 
a  structured  specification  and  the  corresponding  software  implemented  using  a  modular 
programming  language  such  as  Ada,  Clu  or  ML.  The  problem  considered  is  to  define 
an  algebraic  semantic  framework  such  that  the  various  pieces  of  the  specification  can  be 
related  to  the  various  modules  of  the  implementation  and  such  that  the  global  correctness 
of  the  implementation  can  be  established  from  the  local  correctness  of  each  software  module 
w.r.t.  its  specification  module. 


2  Modularity  and  loose  algebraic  specifications 

To  better  understand  why  and  how  far  both  the  modularity  of  the  specification  and  the 
modularity  of  the  software  interact  together  as  well  as  the  need  for  a  new  approach  to 
the  semantics  of  algebraic  specifications,  we  shall  first  briefly  recall  the  main  underlying 
paradigm  of  the  loose  approach. 


A  specification  is  supposed  to  describe  a  future  or  existing  system  in  such  a  way  that 
the  properties  of  the  system  (what  the  system  does)  are  expressed,  and  the  implementa¬ 
tion  details  (how  it  is  done)  are  omitted.  Thus  a  specification  language  aims  at  describing 
classes  of  correct  (w.r.t.  the  intended  purposes)  implementations  (realizations) .  In  contrast 
a  programming  language  aims  at  describing  specific  implementations  (realizations).  In  a 
loose  framework,  the  semantics  of  some  specification  5  is  a  class  M  of  (non-isomorphic) 
algebras.  Given  some  implementation  (program)  P ,  its  correctness  w.r.t.  the  specification 
5  can  then  be  established  by  relating  the  program  P  with  one  of  the  algebras  of  the  class 
M.  Roughly  speaking,  the  program  P  will  be  correct  w.r.t.  the  specification  S  if  and  only 
if  the  algebra  defined  by  P  belongs  to  the  class  M.2 


Let  us  now  reexamine  the  above  picture  in  a  modular  setting.  At  one  hand  we  have 
a  modular  specification  S  made  of  some  specification  modules  S\,  S^,. .  .tied  together  by 
some  specification-building  primitives.  On  the  other  hand  we  have  a  modular  program  P 
made  of  some  program  modules  Pi,  P2,. . . .  Assume  moreover  that  the  program  structure 
reflects  the  specification  structure.  The  problem  we  have  to  solve  is  the  following  one: 

2This  is  of  course  an  oversimplified  picture:  indeed,  the  program  P  should  be  considered  as  a  correct 
implementation  of  §  if  and  only  if  the  algebra  defined  by  P  is  “behaviorally  equivalent”  to  some  algebra 
belonging  to  M  (see  e.g.  [14]).  However,  in  the  sequel  we  shall  adopt  the  oversimplified  understanding  of 
program  correctness,  since  it  will  be  sufficient  to  study  the  impact  of  modularity.  Note  also  that  our  picture 
does  not  preclude  more  refined  views  about  implementations,  such  as  the  abstract  implementation  of  one 
specification  by  another  (more  concrete)  one  [3,7],  or  the  stepwise  refinement  and  transformation  of  a  spe 
into  a  piece  of  software  [2].  This  indeed  is  the  reason  why  whe  shall  speak  of  “realizations”  instead  of 
“implementations” . 
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1.  To  define  a  notion  of  correctness  such  that  “the  program  module  P2  is  correct 
w.r.t.  the  specification  module  S2”  is  given  a  precise  meaning,  and 

2.  To  ensure  that  the  local  correctness  of  each  program  module  w.r.t.  its  specification 
module  implies  the  global  correctness  of  the  whole  program  w.r.t.  the  whole  specifi¬ 
cation,  and 

3.  To  carefully  study  how  some  basic  requirements  about  the  modular  development  of 
modular  software,  as  well  as  their  reusability,  interact  with  the  design  of  the  semantics 
of  the  (modular)  specifications. 

It  turns  out  that  the  main  difficulties  raised  by  this  goal  axe  twofold: 

1.  Providing  a  (loose)  semantics  to  specification  modules  is  not  so  easy,  since  from 
a  mathematical  point  of  view  (heterogeneous)  algebras  do  not  have  a  modular  struc¬ 
ture. 

2.  If  our  intuition  and  needs  about  modular  software  development  and  the  reuse  of 
modular  software  can  be  easily  figured  out,  this  is  not  the  case  at  the  level  of  algebraic 
semantics. 

In  the  following  section  we  shall  try  to  provide  some  insight  into  the  solution  we  propose 
and  into  the  main  ideas  underlying  what  we  call  the  “ stratified  loose  semantics” . 


3  The  stratified  loose  semantics 

For  sake  of  simplicity,  we  shall  focus  on  the  most  commonly  used  specification-building 
primitive,  namely  the  enrichment  one.  Moreover,  we  shall  assume  that  the  modular  spec¬ 
ification  we  consider  is  made  of  one  specification  module  S2  that  enrich  only  one  another 
specification  module  Si,  which  in  turn  may  enrich  other  specification  modules. 

The  specification  module  Sx  determines  the  specification  Sx,  thejemantics  of  which 
is  some  class  of  models  (or  algebras).  The  signature  associated  to  Sx  is  denoted  by  Si, 
while  the  distinguished  subset5  of  Sx  corresponding^©  the  generators  of  the  defined  sorts 
is  denoted  by  fii.  The  class  of  models  associated  to  Sx  is  denoted  by  Mx.  Similar  notations 
hold  for  the  S2  specification  module.  Note  that  we  have  Sx  C  S2,  and  fix  C  fi2.  U  denotes 
the  usual  forgetful  functor  from  S2-algebras  to  Si-algebras;  the  image  U  (*M2)  of  the  class 
by  the  forgetful  functor  U  will  also  be  denoted  by  ^M.2 1  ’  33  we^  35  image  by  U  of 

some  model  M2  of  M2  is  denoted  by  M2\^. 

3 In  Plugs,  this  distinguished  subset  is  specified  apart  from  the  other  operations  and  is  introduced  by  the 
keyword  generated  by. 


79 


With  the  help  of  this  simple  example,  our  intuition  and  needs  w.r.t.  the  modular 
development  of  modular  software  can  be  summarized  as  follows: 

1.  If  some  piece  of  software  fulfills  (i.e.  is  a  correct  realization  of)  the  “large”  specifi¬ 
cation  S2,  then  it  must  be  reusable  for  simpler  purposes  (i.e.  it  must  also  provide  a 
correct  realization  of  the  sub-specification  5'i) 

2.  Any  piece  of  software  that  fulfills  (i.e.  that  is  a  correct  realization  of)  the  sub¬ 
specification  Si  should  be  reusable  as  the  basis  of  some  correct  realization  of  the 
larger  specification  Si.  In  other  words,  it  should  be  possible  to  implement  the  sub¬ 
specification  S[  without  taking  care  of  the  (future  or  existing)  enrichments  of  this 
specification  (e.g.  by  the  specification  module  S2). 

3.  It  should  be  possible  to  implement  the  specification  module  S2  without  knowing 
which  peculiar  realization  of  the  sub-specification  Si  has  been  (or  will  be)  chosen. 
Thus,  the  various  specification  modules  should  be  implementable  independently 
of  each  other,  may  be  simultaneously  by  separate  programmer  teams.  Moreover, 
exchanging  some  correct  realization  (say  Pi)  of  the  specification  module  Si  with 
another  correct  one  (say  P[)  should  still  produce  a  correct  realization  of  the  whole 
specification  S2,  without  modification  of  the  realization  P 2  of  the  specification  module 
S2. 

The  first  two  requirements  can  be  easily  achieved  by  embedding  some  appropriate  hier¬ 
archical  constraints  into  the  semantics  of  the  enrichment  specification-building  primitive. 
Roughly  speaking,  it  is  sufficient  to  require  the  following  property: 

Either  M2  =  0  fin  that  case  the  specification  module  S2  will  be  said  to  be 
hierarchically  inconsistent)  or  .Malx^  =  Mi. 

The  third  requirement,  however,  cannot  be  achieved  without  providing  a  suitable  (loose) 
semantics  to  specification  modules.  There  is  no  way  to  take  this  requirement  into  ac¬ 
count  by  only  looking  at  the  semantics  of  specifications.  The  following  definition  provides 
the  solution  we  are  looking  for  by  embedding  the  ideas  of  the  initial  approach  to  algebraic 
semantics  into  the  loose  one: 

Definition  (Stratified  loose  semantics)  :  _ 

Let  Mi  be  the  class  of  the  models  of  the  specification  Si  (according  to  this  current  defi¬ 
nition),  and  “Mi  be  the  class  of  all  the  ^-algebras  finitely  generated  w.r.t.  Cl2,  for  which 
the  axioms  Jk(S2)  hold,  and  which  produce  Si  models  when  the  new  part  specified  by  the 
specification  module  S2  is  forgotten  by  the  forgetful  functor  U  (i.e.  we  have  U (.M2)  C  Mi). 

•  If  Ml  is  empty,  the  enrichment  is  said  to  be  (hierarchically)  inconsistent  and  the 
semantics  of  the  specification  module  S2  is  empty,  as  well  as  the  semantics  M2  of  the 
whole  specification  S2. 


•  Otherwise,  the  semantics  of  the  specification  module  S2  is  defined  as  being  the  class 
Jj2  of  all  the  mappings  7i  such  that: 

1.  7,  is  a  (total)  functor  from  Mi  to  M2. 

2.  Ti  is  a  right  inverse  of  the  forgetful  functor  U,  i.e.:  VMi  €  Mi :  U{7i{M{))  ~  M\. 

If  the  class  7?  is  empty,  then  the  enrichment  is  also  said  to  be  (hierarchically)  in¬ 
consistent. , 

•  The  semantics  of  the  whole  specification  S2  is  defined  as  being  the  class  of  all  the 
models  image  by  the  functors  7%  of  the  models  of  M i«*  M2  =  (J  ^5(Mi) 

7*7? 

The  class  M2  of  the  models  of  the  specification  %  is  said  to  be  stratified  by  the  functors  £•. 

Some  comments  axe  necessary  to  better  understand  the  previous  definition: 

•  In  the  definition  above,  the  restriction  to  models  finitely  generated  w.r.t.  to  the 
generators  is  made  to  guarantee  that  all  values  will  be  denotable  as  some  composition 
of  these  generators.  Thus,  structural  induction  using  these  generators  is  a  correct 
proof  principle. 

•  Our  semantics  is  loose,  since  it  associates  a  class  of  (non-isomorphic)  functors  (resp.  al¬ 
gebras)  to  a  given  specification  module  (resp.  to  a  given  specification).  However,  our 
semantics  can  also  be  considered  as  a  generalization  of  the  initial  approach:  under 
suitable  assumptions,  the  free  functor  from  Ei-algebras  to  S2“al§ebras  is  just  one 
specific  functor  in  the  class  7 j2. 

•  It  is  also  important  to  note  that  our  definition  is  almost  independent  of  the  underlying 
institution  [13]. 

As  a  last  remark,  we  must  point  out  how  far  our  definition  solves  the  problem  stated  in 
the  previous  section.  A  program  module  will  be  said  to  be  correct  w.r.t.  some  specification 
module  if  and  only  if  it  induces  a  functor  belonging  to  the  semantics  of  the  specification 
module.  From  our  definition,  it  is  then  clear  that  the  “composition”  of  correct  program 
modules  (i.e.  the  program  obtained  by  linking  together  these  program  modules)  is  always 
a  correct  realization  of  the  whole  specification. 

The  extension  of  the  definition  above  to  the  case  where  the  specification  module  S2 
enriches  more  than  one  specification  module  as  well  as  its  extension  to  other  specification¬ 
building  primitives  (such  as  e.g.  parameterization)  do  not  raise  difficult  problems  and  is 
described  in  [4]. 
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4  Conclusion 


The  main  significance  of  the  stratified  loose  framework  outlined  in  this  paper  is  that  it  is 
possible  to  specify  and  develop  software  in  a  modular  way,  and  that  the  correctness  of  the 
implementation  should  only  be  established  on  a  module  per  module  basis.  A  formal  the¬ 
ory  of  software  reusability,  built  on  top  of  our  stratified  loose  semantics,  is  described  in  [10]. 

As  a  consequence  of  the  “hierarchical  constraints”  required  by  modularity,  it  is  neces¬ 
sary  to  state  a  careful  distinction  between  “implementable”  and  “not  yet  implementable” 
specification  modules.  This  is  done  in  the  Pluss  algebraic  specification  language  [4,5],  the 
semantics  of  which  is  defined  following  the  stratified  loose  approach.  Such  a  distinction 
contrasts  with  all  other  specification  languages  developed  following  either  the  initial  or  the 
loose  approach,  such  as  ACT  ONE  [6,8],  ASL  [15,1],  OBJ2  [9]  and  LARCH  [12],  where 
there  is  only  a  distinction  between  various  enrichment  primitives. 
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1  Introduction 

The  importance  of  decomposing  large  software  systems  into  modules  to  improve  their  clarity,  facilitate 
proofs  of  correctness,  and  support  reusablity  has  been  widely  recognized  within  the  software  engineering 
community.  Recently,  considerable  interest  has  developed  in  techniques  for  keeping  track  of  structural 
and  historical  relationships  between  modules  as  a  system  evolves  over  time.  In  this  paper,  we  study  these 
issues  within  a  formal  semantic  framework  for  modules  based  on  algebraic  specifications.  Our  goal  is  to 
clearly  formulate  fundamental  ideas  in  this  area  to  serve  as  a  guide  to  the  design  of  methodologies  and 
tools  for  software  engineering. 

We  first  present  an  algebraic  concept  of  modules  and  their  interfaces  which  is  suitable  for  all  phases 
of  the  software  development  process;  from  requirements  specification  to  high-level  design  specification 
to  executable  code.  This  concept  has  evolved  over  the  last  ten  years,  from  early  work  on  abstract  data 
types  [LZ74,  GTW76,  TWW78],  into  its  present  form  [WE86,  BEPP87].  We  then  present  a  set  of  fun¬ 
damental  operations  on  interface  and  module  specifications,  including  horizontal  structuring  operations 
for  building  up  specifications,  vertical  development  steps  which  refine  abstract  specifications  into  more 
concrete  forms,  and  realization  of  interface  specifications  by  module  specifications.  A  variety  of  different 
program  development  methodologies  can  be  formulated  within  this  framework.  For  example,  a  top-down 
approach  might  start  with  high-level  requirements  expressed  as  interface  specifications.  Then,  vertical 
development  steps  could  be  taken  to  elaborate  the  design,  perhaps  introducing  some  horizontal  structure. 
Eventually,  the  interface  specifications  would  be  realized  by  module  specifications  to  produce  a  high-level 
description  of  the  implementation.  Finally,  additional  vertical  development  steps  could  be  taken  until 
an  acceptable  implementation  is  produced. 

The  algebraic  framework  allows  us  to  study  semantic  interactions  between  horizontal  structuring, 
vertical  development,  and  realization.  For  example,  we  study  whether  horizontal  operations  are  compat¬ 
ible  with  vertical  steps  in  the  sense  that  a  compound  module  is  refined  when  its  submodules  are  refined. 
These  operations  and  results  concerning  their  compatibilities  are  discussed  in  more  detail  in  [EFH"**87]. 

Our  most  recent  work,  discussed  here  and  in  more  detail  in  our  technical  report  [EFH+88],  studies 
the  construction  and  evolution  of  module  families.  A  module  family  is  a  collection  of  conceptually 
related  modules,  usually  revisions  and  variants,  which  have  developed  over  time.  Module  families  provide 
structure  to  a  module  library,  facilitating  the  storage,  access,  and  reuse  of  its  members.  In  addition, 
module  families  allow  the  members  of  a  group  of  conceptually  related  systems  to  be  manipulated  all 
at  once  rather  than  individually.  In  our  framework,  a  module  family  is  defined  to  be  a  set  of  module 
specifications,  each  of  which  realizes  a  common  abstract  interface.  Each  module  family  has  a  set  of 
relations,  such  as  refinementjofi  revisionjof%  and  variant  j>f ,  defined  on  its  members.  We  show  how 
the  horizontal  operations  on  interface  and  module  specifications  can  be  applied  to  entire  module  families 
to  produce  configuration  families  and  how  refinements  of  the  underlying  modules  induce  refinements  of 
configurations. 

*Thia  research  was  carried  out  at  part  of  an  exchange  program  between  TUB  and  USC. 

tTU  Berlin,  Inatitut  fur  Software  und  Theoretiache  Informatik,  Franklinatraaac  28/29,  D-1000  Berlin  10 
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Figure  1:  Module  Specifications 


2  Preliminaries 

An  algebraic  datatype  specification  is  a  triple  SPEC  =  ( S,OP ,  E)  where  S,  OP,  and  E  are  sets  of  sort 
symbols,  operation  symbols,  and  equations  respectively.  A  specification  morphism  f’.SP ECi—*SP EC j 
between  specifications  SPEC ;  =  (S;,  OP;,  £;)  for  »=  1,2  is  a  pair  of  functions  /  =  (fs-Si-*Si,  fOP : 
OPi  —* OPj)  such  that  for  each  N  :ti,...,sn  — ♦  j  in  OP,  we  have  fop(N)  :/s(sx),...,  /s(<n)  - 1 ►  /s(J) 
in  OPj,  and  for  each  e  in  E\  the  translated  equation  /*(«)  is  provable  from  E 3.  A  SPUC-algebra  A 
consists  of  a  base  set  A,  for  each  s  €  S  and  an  operation  N*  :  A,,, . . . ,  ->  A,  for  each  operation 

symbol  N  : — *  »  in  OP.  The  operations  are  required  to  satisfy  all  equations  in  E.  SPEC- 
algebras  and  homomorphisms  between  them  define  a  domain  Alg(S  P  EC)  used  to  define  the  semantics 
of  modules.  For  each  specification  morphism  /  :  SPECi  -*  SPECi  there  is  a  forgetful  construction 
FORG ETj :  Alg(S PECi)  —*  Alg(SPECi)  which  forgets  all  base  sets  and  operations  not  in  f  (SPECi), 
and  a  free  construction  FREEj  :  Alg(SPECi)-*  Alg(SPECi)  which  transforms  each  SP-ECx-algebra 
in  Ai  into  a  freely  generated  SPUCj-algebra.  For  more  details,  see  [EM85]. 


3  Module  and  Interface  Specifications 

A  module  specification  MOD  =  (PAR,  IMP,  EXP,  BOD,  i,  e,  s,  v)  contains  four  algebraic  datatype  spec- 
ific&tions. 

•  The  import  part  IMP  identifies  the  sort*  &nd  operations  which  are  to  be  brought  into  into  the 
module.  In  general,  the  equations  in  the  import  part  describe  only  essential  or  unusual  properties 
of  these  operations;  their  complete  definition  is  left  up  to  the  imported  module. 

•  The  export  part  EXP  identifies  those  sorts,  operations,  and  equations  that  are  visable  outside  the 
module.  The  export  part  can  be  used  to  hide  the  representation  of  data  and  functions,  and  to  hide 
auxiliary  sorts  and  operations. 

•  The  parameter  part  PAR  contains  sorts,  operations,  and  equations  which  are  common  to  the  import 
and  export  parts.  These  components  are  intended  to  be  generic  parameters  of  the  entire  modular 
system  and  may  be  instantiated  with  particular  values. 

•  The  body  part  BODY  contains  equations  which  define  the  operations  of  the  export  part  in  terms 
of  the  operations  of  the  import  part.  The  body  may  contain  auxiliary  sorts  and  operations  which 
do  not  appear  in  any  other  part  of  the  module. 

These  algebraic  datatype  specifications  are  connected  by  specification  morphisms  *  :  PAR  — ♦  JA/P, 
e:PAR — ♦  EXPt  s :  IMP  — »  BOD,  and  vxEXP  — ♦  BOD  such  that  the  diagram  in  figure  1  commutes. 
The  semantics  of  MOD  is  given  by  the  function  SEM  :  Alg(IMP)  — *  Alg(EXP)  mapping  import 
algebras  to  export  algebras  as  follows:  SEM  =  FORGET '9  o  FREEt.  A  module  specification  is  said 
to  be  correct  if  it  is  strongly  persistent,  Le.,  if  the  free  construction  FREE9  :  Alg(IMP)  — ♦  Alg(BOD) 
leaves  the  semantics  of  every  import  algebra  unchanged. 

Horizontal  structuring  operations  are  used  to  build  up  module  specifications.  The  most  commonly 
used  horizontal  operation  is  composition.  The  composition  of  module  specifications  M OD\  and  M OD?, 
denoted  MOD\  •  A/O-Dj,  connects  the  import  part  of  M OD\  with  the  export  part  of  MOD?t  as  shown 
in  figure  2.  The  connection  is  established  by  a  pair  of  specification  morphisms  \IM P\  —*  EXP 3  and 
h2  :PARX  — *  PAR2-  The  composite  module  MOD 3  has  the  same  import  part  as  MOD2t  the  same  export 
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Figure  2:  Composition  of  Module  Specifications 
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Figure  3:  Refinement  of  Module  Specifications 


and  parameter  parts  as  MOD\t  and  body  given  by  the  union  of  the  bodies  of  MOD\  and  M OD*.  The 
subdiagrams  (1),  (2),  and  (3)  must  commute  and  (4)  is  constructed  as  a  pushout  diagram.  A  fundamental 
result  here  is  that,  if  MOD\  and  MOD*  are  correct,  then  MOD*  is  correct  and  its  semantics  SEM *  is 
given  by  SEM*  =  SEM\  o  FORGET o  SEM*. 

Vertical  development  steps  transform  abstract  specifications  into  more  concrete  forms.  The  most 
commonly  used  horizontal  operation  is  refinement  Intuitively,  a  refined  specification  more  completely 
describes  the  resources  that  the  module  will  produce  and  the  resources  that  are  required  to  produce 
them.  A  refined  specification  has  additional  sorts,  operations,  and  equations  in  its  import,  export,  and 
parameter  parts.  A  specification  and  its  refined  version  are  connected  by  three  specification  morphisms 
rp :  PAR\  — ♦  PAR*t  tr  :  EX  Pi  — ►  EXP*%  and  rj :  IMP\  — *  IMP*  as  shown  in  figure  3.  All  subdiagrams 
in  this  figure  must  commute.  This  is  called  a  weak  refinement  since  it  satisfies  only  basic  syntactic 
requirements.  A  weak  refinement  is  called  a  refinement  if  the  modules  are  semantically  compatible  with 
respect  to  their  common  elements,  i.e.,  if  SEM\  o  FORGETrg  =  FORGETrm  o  SEM *. 

A  fundamental  result  here  is  that  refinement  is  compatible  with  composition.  Given  (weak)  refine¬ 
ments  MODi  by  MOD[  and  MOD*  by  MOD*t  and  well-defined  compositions  MOD*  =  MOD\mMOD* 
and  MOD*  =s  MOD{  •  MOD*%  there  is  an  induced  (weak)  refinement  of  MOD*  by  MOD*. 

An  interface  specification  gives  the  external  features  of  a  module  without  describing  how  it  is  to  be 
implemented.  An  interface  specification  I  NT  =  (PARt  IMPt  EXPt  t,  e)  is  simply  a  module  specification 
without  a  body  BODY  and  the  related  morphisms  §  and  v.  Horizontal  operations,  such  as  composition, 
and  vertical  operations,  such  as  refinement,  can  be  restricted  to  interface  specifications.  A  realization  of 
an  interface  specification  is  a  module  specification  which  implements  it.  A  realization  is  given  by  a  triple 
of  specification  morphisms  satisfying  the  same  properties  as  a  weak  refinement. 
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4  Module  and  Configuration  Families 


We  define  a  module  family  to  be  a  set  of  module  specifications,  each  of  which  realizes  a  common  interface 
specification.  A  module  family  MODE  AM  =  (I NT,  {MOD,,  rj)j€j,  REL)  consists  of  an  interface 
specification  INT  called  the  abstract  interface  oiMODFAM,  a  family  of  module  specifications  MODj 
and  realizations  Tj :  INT  -*  MODj  for  each  j  €  J,  and  a  set  of  relations  REL  on  J.  The  index  set  J 
is  assumed  to  be  empty  when  a  new  module  family  is  created.  An  update  of  the  module  family  entails 
modification  of  MODj,  r;-  and  the  corresponding  set  J.  The  set  REL  is  intended  to  include  different 
relations,  such  as  refinement,  between  the  versions  of  MODF AM . 

A  configuration  family  is  a  set  of  compound  modules  constructed  in  a  uniform  way  from  a  set  of 
module  families.  Given  an  n-tuple  of  module  families  MODFAMi  =  {INTi,{MOD,it  )j€  j 4 ,  RE  Li) 
for  i  =  l,...,n,  a  configuration  family  CON F AM  =  (INT,OP,J,f,REL)  consists  of  an  interface 
specification  INT  called  the  abstract  interface  of  CON F AM,  an  n-ary  horizontal  operation  OP,  a 

version  index  set  J,  an  n-tuple  of  version  functions  /  =  (/<:/-►  7i)»= i . .  a  set  of  relations 

REL  on  J.  The  version  functions  select  n-tuples  of  module  family  members  to  be  combined,  using  OP, 
to  produce  members  of  the  configuration  family.  Each  such  n-tuple  defines  one  configuration  given  by 
some  j  €  J.  The  corresponding  n-tuple  is  (MOD*\j, . . .  ,MOD'nj)  with  MOD*ij =  MODitj^j)  for 

i  -  i . n.  Pour  basic  consistency  conditions  must  hold.  For  example,  version  consistency  makes  sure 

that  the  tuples  of  modules  can  be  appropriately  combined.  We  have  the  following  fundamental  results. 


•  Induced  Module  Family:  There  is  an  induced  module  family  corresponding  to  the  result  of  applying 
OP  to  those  members  of  MODFAMi  given  by  the  version  functions. 


•  Induced  Refinement:  Refinements  between  members  of  the  module  families  induce  refinements  be¬ 
tween  corresponding  configurations  in  CONFAM  provided  that  certain  basic  compatibility  con- 
ditions  hold. 


•  Induced  Updates:  Given  an  update  of  MODFAMi  by  additional  realizations,  there  is  an  induced 
update  of  CONFAM  by  additional  realizations  provided  that  certain  basic  compatibility  conditions 
hold. 
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Introduction 

We  develop  a  model  of  the  early  stages  of  language  design  based  on  universal  algebra,  and  apply  this  model  to  a 
key  issue  in  early  design.  The  benefit  of  an  algebraically  based  design  model  is  that  it  allows  us  to  rationalize 
aspects  of  design  which  are  otherwise  isolated  as  mysterious  processes  with  little  structure.  In  turn,  the  benefit  of 
this  rationalization  is  that  is  allows  designs  to  be  made  definite,  concrete  and  visible.  It  is  possible  to  use  such 
designs  to  reason  about  design  issues.  The  particular  issue  to  which  we  apply  our  model  is  that  of  reusability  of 
designs:  Suppose  a  language  is  designed  which  lacks  an  important  property.  How  might  the  language  be  altered,  or 
redesigned,  to  obtain  that  property?  The  particular  class  of  properties  that  we  focus  on  here  concerns  the  the  stages 
of  evaluation  of  a  language  (compile  time  and  run  time  are  examples  of  stages)  and  the  desire  to  maximize  or 
minimize  the  amount  of  evaluation  that  goes  on  at  each  stage.  Our  claim  is  that  the  usual  types  of  language 
definition  and  language  design  tools  do  not  aid  the  designer  in  exploring  language  choices,  while  ours  do. 

We  have  not  worked  out  a  model  that  demystifies  every  aspect  of  language  design,  but  we  do  know  how  to  deal 
with  some  important  features,  and  can  tell  a  complete  story  about  abstract  representation  of  "stages  of  evaluation"  in 
a  language  definition,  based  on  a  notion  of  removal  of  information  from  an  algebraic  representation  of  a  language. 
[Bradley  88]  and  [Bradley  89]  give  more  details  of  some  of  the  underpinings  of  the  approach  that  is  outlined  below. 
Our  goal  in  this  abbreviated  paper  is  to  introduce  two  key  notions.  One  is  the  notion  of  an  early  stage  of  language 
design.  An  early  stage  is  characterized  by  a  lack  of  syntax,  and  by  wild  experimentation  with  the  structure  and 
contents  of  the  basic  semantic  domain.  A  late  stage,  in  contrast,  is  characterized  by  fairly  well  accepted  syntax,  a 
well  understood  semantics  (informal,  at  least)  and  virtually  no  experimentation  with  the  basic  semantic  domain.  The 
second  notion  we  introduce  is  of  staged  evaluation  of  an  expression  in  a  language.  One  of  the  key  concerns  of  a 
language  designer  in  the  early  stages  is  to  design  a  language  so  that  it  can  be  efficiently  evaluated.  This  usually 
boils  down  to  meaning  that  efficiency  at  some  stages  (such  as  compile  time)  will  be  happily  sacrificed  to  improve 
efficiency  at  other  stages  (such  as  run  time).  This  paper  outlines  a  way  to  examine  and  manipulate  stages  of 
evaluation  early  in  the  formal  design  of  a  language. 

The  early  stages  of  design  (informal) 

Unlike  syntax  and  semantics,  design  is  not  an  aspect  of  artificial  languages  that  has  been  amenable  to 
formalization.  Most  studies  of  the  desip  of  programming  languages  have  been  extremely  informal  ([Ghezzi  87], 
[MacLennan  87],  [Hoare  73],  [Wirth  74],  for  example).  Typically,  these  treatments  are  advice  on  the  properties  a 
lanpage  should  have,  such  as  orthogonality  and  readability.  More  formal  approaches  to  lanpage  desip,  range 
from  early  work  on  extensible  languages  to  very  recent  work  on  semantics  based  desip  and  tools  for  language 
specification  ([Paulson  82],  [Lee  87],  [Blikle  86]  and  [Ligler  75]).  These  approaches  are  uniformly  based  on  the 
idea  that  language  design  begins  when  a  syntax  is  formally  defined,  and  finishes  when  a  notion  of  semantics  is  made 
precise.  More  useful  are  approaches  such  as  Pratt’s  ([Pratt  83])  describing  sipifcant  paradigm  shifts  in  the  desip 
of  languages,  and  approaches  that  deal  with  the  desip  of  constructs  to  solve  particular  problems,  such  as  [Hudack 


88],  and  [Solworth  88]. 

At  a  mote  practical  and  realistic  level  language  design  begins  with  the  design  of  the  semantic  domain  --  the 
decision  on  what  is  to  be  represented  in  the  language.  This  decision  requires  insight,  imagination,  and  deep 
understanding  of  the  particular  domain.  In  the  earliest  stages  of  design  language  designers  are  not  faced  with  issues 
such  as  whether  the  constructs  in  the  language  are  orthogonal  or  readable.  These  issues  are  so  generic  that  advice  on 
them  can  not  help  a  designer  faced  with  the  particular  problems  of  a  specific  domain.  Some  of  the  realistic 
questions  of  the  early  design  stage  are  the  following.  A  designer  might 

•  want  to  develop  language  constructs  for  highly  parallel  operations  on  list  (See  [Solworth  88],  for 
example) 

•  want  to  design  a  language  in  which  software  faults  are  reduced.  This  requires  a  thorough  understanding 
of  how  software  faults  occur,  followed  by  a  design  of  constructs  to  avoid  them. 

•  feel  that  it  is  necessary  to  allow  some  type  cheating  in  a  language,  but  might  also  want  to  restrict  it  The 
designer  might  want  to  develop  a  construct  for  "structured"  type  cheating,  but  may  be  unsure  how  the 
structuring  should  be  done,  (see  [Geschke  77]  for  a  discussion  of  this  in  Mesa.) 

•  want  to  allow  a  wide  variety  of  notions  for  arrays,  from  static,  as  in  Pascal,  to  fully  dynamic,  as  in  APL, 
but  may  not  understand  the  affects  this  decision  will  have  on  the  compilation  and  run  time  of  the 
programs. 

The  typical ,  extremely  general,  advice  given  in  informal  treatments  of  language  design  is  not  useful  in  these  sorts 
of  design  situations,  and  neither  are  the  semantics  based  language  design  tools,  since  they  force  the  designer  to  start 
by  giving  a  syntax,  and  these  issues  are  prior  to  that  stage. 


The  early  stages  of  design  (formal) 

The  model  of  language  design  that  we  present  here  rationalizes  design  by  presenting  it  as  definitional,  informative 
and  concrete.  By  definitional  we  mean  that  the  formal  expression  of  the  design  can  be  used  to  define  the  language. 
By  informative  we  mean  that  information  about  the  language  that  is  lacking  in  other  forms  of  definition,  for  example 
syntax  and  semantics  is  present  in  the  formally  expressed  design.  By  concrete  we  mean  designs  done  in  steps  so 
that  they  have  stable  intermediate  results,  and  so  that  the  method  of  going  from  one  stable  intermediate  to  another  is 
describable  and  computable. 

The  model  of  language  design  can  be  summed  up  as  follows.  All  language  design  starts  with  a  world,  which  has 
structure.  Informally,  a  world  is  anything  that  can  be  symbolized,  and  its  structure  is  a  classification  of  the  types  of 
objects,  functions  and  relations  in  the  world.  Formally,  a  world  is  a  many- sorted  algebra,  and  its  structure  is 
identified  with  the  signature  of  the  algebra. 

Language  design  proceeds  as  a  sequence  of  decisions  on  how  to  represent  the  objects,  functions  and  relations  of 
the  world.  In  the  early  stages  of  design  the  crucial  step  is  acquiring  new  world  views  by  manipulating  world 
structure.  The  variation  in  world  views  may  be  extreme  -  for  instance  replacing  hom  clauses  without  equality  by 
equational  logic  in  the  logic  underlying  a  relational  language  such  as  prolog  --  or  it  may  be  minor  -  choosing  a  new 
name  for  an  object  In  our  model  of  design  each  of  these  manipulations  is  a  mapping  from  algebras  to  algebras.  The 
final  result  is  a  design  which  is  expressed  as  a  sequence  of  such  mappings.  Designs  rationalized  in  this  manner  are 
then  open  for  inspection  and  manipulation. 

Our  model  of  design  is  based  on  three  kinds  of  manipulations.  These  are 

•  Metaphor  or  Structure  adoption.  This  is  the  most  radical  kind  of  manipulation  that  can  be  performed  on 
a  world,  and  is  loosely  analogous  to  the  working  of  metaphor  in  natural  language,  where  the  structure  of 
one  domain  is  adopted  to  structure  another  domain.  For  example,  the  linear  ordering  on  temperatures, 
can  be  used  to  order  the  domain  of  putters,  as  in  "His  putting  is  hot",  in  which  the  implication  is  that  his 
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putting  is  very  "high",  or  good.  With  respect  to  language  design,  the  following  are  examples  of 
structure  adoption:  A  construct,  such  as  a  new  repeat  statement,  could  be  added  to  the  language  from 
another  language.  A  more  complex  example,  which  happens  quite  often,  is  to  adopt  structure  within  the 
language  from  its  semantic  domain.  For  example,  the  semantics  of  a  read  statement  might  involve 
checking  the  next  input  value  to  ensure  that  its  type  is  compatable  with  the  type  of  the  variable  being 
read  to,  and  invoking  an  error  continuation  if  it  is  not.  Adopting  this  action  of  the  runtime  system  into 
the  language  itself  is  very  useful,  and  amounts  to  allowing  programmer  control  over  exception  handling 
for  read. 

•  Structure  reshaping  In  this  manipulation  the  structure  of  the  world  is  altered,  but  in  such  a  way  that  all 
the  computations  expressible  in  the  original  world,  or  some  subset  thereof,  are  expressible  in  the  altered 
world.  This  kind  of  manipulation  is  exemplified  by  activities  such  as  forming  a  derived  operation  over 
the  original  algebra,  merging  separate  operations  into  one,  or  renaming  an  operation. 

•  Splitting.  In  this  manipulation  the  structure  of  the  world  is  represented  joindy  by  two  or  more  separate 
worlds.  This  manipulation  allows  the  language  designer  to  introduce  stages  of  evaluation  into  the 
language,  as  will  be  described  more  below.  The  intuition  behind  this  is  that  the  designer  can  control  the 
stage  at  which  information  about  objects  becomes  available  by  removing  them,  or  parts  of  them,  from 
the  original  algebra  and  placing  them  in  associated  algebras  which  are  available  at  another  stage  of 
evaluation. 


A  particular  problem  concerning  "stages  of  evaluation" 

We  can  apply  this  formalization  of  the  early  stages  of  language  design  to  an  issue  which  is  central  to  design.  The 
issue  is  this;  Suppose  we  have  a  language  L,  defined  by  grammar  G  and  semantics  S,  which  does  not  satisfy  some 
property  P.  What  changes  we  can  make  to  L  (that  is,  to  G  and  S)  so  that  the  changed  language  L\  defined  by 
grammar  G\  and  semantics  S’,  satisfies  P?  This  is  clearly  a  central  issue  in  design;  it  is  also  quite  vast  We 
<»Tamin(»  instances  of  this  question  for  a  class  of  properties  that  capture  aspects  of  time  of  evaluation  for  expressions 
in  a  program.  In  particular  we  restrict  our  attention  to  the  solution  of  this  problem  for  properties  that  concern  the 
"stage  of  evaluation"  at  which  certain  information  is  known  about  a  program.  For  example  the  property  of  being 
statically  typed  —  i.e.  the  property  that  all  types  can  be  determined  at  compile  time  —  is  such  a  property.  We  will 
now  discuss  the  idea  of  stages  of  evaluation  more  generally. 

What  are  stages  of  evaluation? 

The  way  of  thinking  about  language  evaluation  is  timeless.  An  expression  in  a  language  is  given  a  meaning 
by  the  wmanrir  function  which  maps  expressions  into  meanings  and  their  is  no  notion  of  stages  in  this  evaluation. 
Yet  in  both  natural  and  artificial  languages  there  are  many  examples  of  languages  whose  semantics  are  given  in 
stages.  For  example,  in  natural  language  semantics  the  classical  treatment  of  intension  and  extention  is  a  strategy 
for  separating  the  "meaning"  of  a  sentence  in  the  abstract  -  the  intension,  given  as  a  function  from  possible  worlds 
to  truth  values  -  from  the  "value"  of  a  sentence  as  used  in  a  particular  situation  -  the  extension,  given  as  a  truth 
value.  In  modem  unification-based  treatments,  such  as  Head-dnven  phrased  structure  grammar  ([Pollard  87])  a 
similar  recognition  of  the  stages  of  evaluation  for  natural  languages  is  expressed  in  the  treatment  of  the  meaning  of  a 
term  as  coming  about  in  a  cummulative  fashion  via  the  interaction  of  constraints  arising  from  several  sources 
(phonological,  syntactic,  semantic,  contextual). 

Artificial  languages  too,  have  this  same  aspect.  In  particular,  the  evaluation  of  a  program  in  a  programming 
language  can  be  viewed  very  naturally  as  coming  about  in  a  cummulative  fashion  via  the  interaction  of  information 
about  its  evaluation  that  is  gathered  at  various  stages.  For  example,  a  classical  instance  of  this  is  the  representations 
of  finifft  mappings  in  programming  languages.  Most  languages  support  the  same  notion  of  finite  mapping,  as  arrays, 
but  they  differ  widely  in  the  constraints  they  place  on  the  stages  of  evaluation  at  which  information  about  the  finite 
mapping  has  to  be  known.  In  Pascal  all  information  about  the  finite  mapping,  including  all  dimension,  bounds  and 
component  type,  has  to  be  present  in  the  text  of  the  program  itself;  in  AlgolW  all  information  about  dimension  and 
component  type  has  to  be  present  in  the  program  text,  but  the  information  about  the  bounds  can  be  delayed  until  the 
execution  of  the  prologue  to  the  block  in  which  the  array  was  declared  is  executed;  finally,  in  a  language  such  as 


APL  no  information  about  the  dimension,  bounds,  or  component  type  has  to  be  fixed  in  the  program  text.  Rather,  all 
of  this  information  can  be  supplied  repeatedly  at  run-time. 

This  notion  of  stages  of  evaluation  is  important  because  many  aspects  of  the  efficiency  of  program  evaluation  are 
tied  to  it  Abstractly,  when  evaluation  of  a  program  occurs  in  stages  it  is  typical  that  these  stages  are  not  viewed 
uniformly.  It  is  much  more  important  for  some  stages  to  be  performed  quickly,  or  using  less  space,  than  it  is  for 
others.  Each  stage  uses  resources  of  time  or  space  differently,  and  it  is  often  a  key  goal  of  language  evaluation  to 
shift  activities  from  one  stage  to  an  earlier  or  later  one  so  as  to  improve  the  efficiency  of  a  critical  stage.  Not  only 
does  this  discussion  characterize  the  distinction  of  "compile-time"  (where  time  efficiency  is  usually  not  critical) 
versus  "run-time"  (where  time  efficiency  is  often  critical),  but  it  also  characterizes  the  various  stages  of  compile¬ 
time  itself:  the  ordering  of  the  activities  of  optimization,  intermediate  code  generation,  and  register  allocation  is 
often  critical  to  the  efficiency  of  the  compiler,  and  to  its  ability  to  perform  some  activities  at  all. 

How  do  stages  of  evaluation  show  up  in  a  semantics?  In  a  denotational  semantics  they  do  not  show  up  at  all.  In 
other  kinds  of  semantics,  for  example  VDM,  they  show  up  very  concretely  as  fixed  times  (compile-time,  run-time) 
with  respect  to  which  program  evaluation  has  to  be  expressed.  One  of  our  goals  is  to  develop  a  style  of  writing 
semantics  so  that  the  staged  evaluation  of  a  language  can  be  expressed  naturally.  Also,  so  that  the  properties  of  the 
computation  that  occur  at  each  stage  (time  and  space  requirements,  for  example)  can  be  analyzed. 

What  is  the  significance  of  stages  of  evaluation  for  language  design?  Given  that  a  language  designer  has  a  desire 
to  represent  some  given  world  in  a  language,  and  given  constraints  about  what  information  must  be  known  at 
various  stages  of  evaluation,  or  what  activities  must  happen  at  various  stages,  what  are  a  language  designers 
choices?  Clearly,  the  designer  must  attempt  to  design  a  language  so  that  the  constraints  on  the  stages  of  evaluation 
are  satisfied. 

Given  the  model  of  design  that  we  propose,  we  can  describe  the  range  of  languages  that  could  be  used  as 
languages  for  some  underlying  world  of  interest.  Also,  we  can  show  how  a  language  that  lacks  some  property  can 
be  can  be  redesigned  to  acquire  it 

The  designer’s  choices:  How  stages  of  evaluation  are  manipulated  in  designs 

The  goal  of  the  current  work  is  to  be  able  to  express  the  important  practical  phenomena  of  stages  of  evaluation  in 
terms  of  removal  of  information  from  an  algebra  representing  a  language  or  world.  Also,  we  want  to  be  able  to 
reason  about  solutions  to  problems  in  languages  concerning  stages  of  evaluation.  The  removal  of  information  from 
an  algebra  forces  the  need  for  a  later  stage  of  evaluation  in  which  the  information  is  presented.  There  are  two 
important  aspects  of  this.  One  is  that  when  information  is  removed  from  an  algebra  the  meanings  of  the  remaining 
objects  have  to  change.  Intuitively,  if  one  designs  a  language  to  represent  some  world,  one  would  expect  that  the 
meanings  of  the  constructs  in  the  language  would  have  to  change  in  proportion  to  the  difference  between  the 
structure  of  the  world  and  the  structure  of  the  language.  In  the  case  of  splittings  the  meanings  of  the  constructs  left 
behind  are  functions  of  the  information  removed.  The  second  important  aspect  is  that  evaluation  that  took  place  at 
one  stage  before  might  now  be  shifted  to  another  stage,  and  that  this  shift  might  be  unacceptable  for  reasons  of 
efficiency. 

In  the  case  that  the  shift  of  evaluation  to  another  stage  is  unacceptable,  the  language  designer  has  two  choices. 
One  is  to  simply  undo  the  design  step  that  introduced  the  shift  of  parts  of  the  evaluation  to  the  new  stage.  The  other, 
more  interesting  alternative,  is  to  attempt  to  incorporate  into  the  language  a  version  of  the  actions  that  have  been 
delayed  to  a  later  stage.  Algebraically,  this  amounts  to  raising  semantic  operations  to  the  level  of  the  language. 
Although  it  was,  of  course,  designed  by  completely  different  methods  than  the  ones  we  propose,  the  Algol68  variant 
case  statement  provides  an  excellent  example  of  the  one  of  the  kinds  of  constructs  that  emerges  from  this  strategy  of 
incorporating  late  stage  semantic  activities  into  the  language  itself  in  our  design  model.  This  statement  forces  the 
programmer  to  explicitly  code  for  the  checking  of  the  current  type  of  the  variant,  and  to  provide  statements  to  be 
executed  in  the  case  of  any  possible  outcome  of  this  check.  This  assures  that  type  correctness  of  the  program  can  be 
determined  at  compile  time,  even  though  the  presence  of  variants  for  which  value  and  type  information  is  delayed 
until  runtime  would  seem  to  preclude  that. 
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1.  Overview 

The  point  of  this  paper  is  to  describe  a  challenging  application  of  algebraic  methods 
to  programming  language  theory.  Much  work  on  the  theory  of  Scheme-like  languages 
(applicative,  but  not  necessarily  functional)  has  an  essentially  algebraic  flavor  [Talcott  1985] 
[Felleisen,  Wand,  et.al.  1988].  Thus  it  seems  appropriate  to  make  the  algebraic  aspect 
explicit.  This  would  allow  us  to  take  advantage  of  the  work  in  algebraic  methods  to  extend 
and  generalize  existing  work  and  to  facilitate  application  of  the  results.  Full  support  of  this 
application  of  algebraic  methods  will  require  bringing  diverse  results  together  in  a  single 
enriched  framework. 

The  goal  of  our  work  is  to  develop  a  general  semantic  framework  that  provides  a  formal 
basis  and  tools  for  a  wide  range  of  programming  activities  such  as:  design  and  implementa¬ 
tion  of  languages;  dynamic  language  extension;  building  programming  environment  tools; 
specifying  programs,  including  programs  that  operate  on  other  programs;  proving  properties 
of  programs;  and  program  transformation,  including  compiling,  high-level  optimizations, 
partial  evaluation,  programming-in-the-large,  and  program  derivation. 

To  support  such  a  range  of  activities  it  is  necessary  to  support  a  variety  of  program¬ 
ming  paradigms  and  to  provide  many  views  of  programs:  programs  as  data  to  construct, 
transform,  and  annotate;  programs  as  descriptions  of  computation  to  execute  and  analyse; 
and  programs  as  black  boxes  distinguished  only  by  observable  behavior.  To  effectively  use 
the  various  views  of  programs  one  also  needs  formal  connections  relating  them. 

An  algebraic  setting  provides  a  unifying  framework  for  the  various  views  of  programs. 
The  use  of  syntactic  algebras,  data  algebras,  and  algebras  of  computation  states  provides 
a  uniform  treatment  of  data,  textual,  and  control  abstraction  mechanisms  in  languages. 
The  semantic  equivalence  relations  induced  by  models  of  a  specification  correspond  to  a 
generalization  of  the  notion  of  comparison  relation  [Talcott  85]  with  equivalence  in  terminal 
models  being  the  maximal  such  equivalence.  Placing  our  work  in  an  algebraic  setting  also 
increases  the  potential  for  cross  fertilization  with  other  approaches  such  as  abstract  actions 
[Mosses  84]  and  the  categorical  view  of  computation  [Moggi  89]. 
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2.  Applicative  languages 


We  start  from  Landin’s  view  of  programming  languages  as  enriched  versions  of  the 
lambda  calculus  [Landin  66].  Particular  languages  are  determined  by  choices  for  abstract 
computation  states,  primitive  data,  and  primitive  operations  to  enrich  the  basic  mech¬ 
anisms  of  naming,  abstraction,  and  application.  Within  this  framework  we  can  treat  a 
variety  of  programming  primitives  including  functional  abstractions,  control  abstractions, 
objects  with  memory,  dynamic  environments,  and  reflection  mechanisms.  We  study  notions 
of  program  equivalence,  formal  systems  for  proving  program  equivalence,  tools  for  com¬ 
piling  and  transforming,  derived  computations  (non-standard  interpretations)  such  as  cost 
of  execution,  reference  count,  strictness,  trace,  and  abstract  interpretations.1  To  illustrate 
some  of  the  issues  we  will  outline  the  kernel  of  this  family  of  languages  and  discuss  various 
extensions,  and  refinements. 

2.1.  The  kernel 

The  language  consists  of  expressions  Exp  generated  from  given  sets  of  variables  Var 
and  constants  Con  by  application  and  abstraction.  Ve  is  the  set  of  value  expressions 
variables,  constants,  and  abstractions. 

Ve  =  Var  +  Con  +  AVar.Exp  Exp  =  Ve  +  app(Exp,  Exp) 

We  adopt  the  convention  that  exp,  exp0,  . .  .range  over  Exp,  ve,  ve0, v.  .range  over  Ve,  and 
similarly  for  other  syntactic  and  semantic  domains.  The  basic  semantics  is  given  in  terms  of 
computations  states  and  transitions.  The  semantic  domains  include  values  (Val),  environ¬ 
ments  (Env),  continuations  (Cnt),  and  states  (St).  Values  include  constants  and  closures 
of  lambda  expressions  <A var. exp,  env>.  Environments  are  finite  -maps  from  variables  to 
values.  Continuations  are  stack  like  objects  that  describe  the  rest  of  the  computation. 
States  are  tuples  with  at  least  a  local  component  and  a  continuation  component.  The  local 
component  is  either  an  expression-environment  pair  or  a  value. 

Val  D  Con  +  <AVar.Exp,  Env>  Env  =  [Var  Val] 

Cnt  =  {top}  +  appi(Exp,  Env,  Cnt)  +  appc(Val,  Cnt) 

St  =  <Exp,  Env,  Cnt, . .  .>  +  <Val,  Cnt, . .  .> 

Transitions  are  defined  by  the  single  step  relation  h*.  The  rules  for  application  are: 

<app(ezp0,  expx),  env,  cnt>  <exp0,  env,  appi (exp1,env,  cnt)> 

<val,  appi(exp1;  env,  cnt)>  >-*  <expx,  env,  app c(val,  cnt)> 

<val,  appc(<A var. exp,  env>,  cnt)>  i— *•  <exp,  env{var  :=  val},  cnt> 


*■  For  examples  see  [Talcott  85,86],  [Mason  86],  [Felleisen  87],  [Mason  and  Talcott  89a, b]. 


2.2.  Adding  primitive  operations 

We  extend  the  kernel  language  to  treat  such  programming  primitives  as  abstract  data 
types  (natural  numbers,  lists,  . ..),  control  abstractions,  objects  with  memory,  dynamic 
binding,  and  reflection  mechanisms.  For  example  to  treat  objects  with  memory  we  assume 
memory  operations  such  as  ink,  get,  set  are  among  the  constants.  We  add  cells  to  the  value 
domain,  a  memory  component  to  states,  and  rules  for  applying  memory  operations. 

Val  2  Cel  Mem  =  Cel  4  Val 

St  =  <Exp,  Env,  Cnt,  Mem, . .  .>  +  <Val,  Cnt,  Mem, . .  .> 

<ua/,  appc(mk,  cnt),  mem>  <ce/,  cnt,  mem{cel  :=  val}>  7*  if  cel  $  Dom (mem) 

The  rules  for  application  are  as  before  since  the  memory  component  is  unchanged  by  these 
transitions. 

2.3.  Denotations  and  program  equivalence 

To  define  evaluation  we  introduce  an  answer  domain  Ans  and  an  operation  Unload 
mapping  final  states  <val,  top,  ...>  to  answers.  A  program  context  ext  is  an  environment 
together  with  the  non-local  components  of  a  state.  The  evaluator  Ev  maps  expressions  and 
program  contexts  to  answers  and  is  defined  by  Ev(exp,  ext)  =  ans  if  <exp,cxt>'  ^  st  for 
some  final  state  st  such  that  Unload(st)  =  ans ,  where  is  the  transitive  reflexive  closure 
of  h+.  From  this  definition  we  can  derive  the  usual  equations!  definition  of  a  denotational 
interpreter.  We  can  then  abstract  on  the  semantic  domains  to  admit  a  wider  class  of  models. 
The  denotation  of  an  expression  is  then  a  partial  function  mapping  program  contexts  to 
answers. 

By  a  program  equivalence  relation  we  mean  an  equivalence  relation  on  expressions. 
We  use  several  notions  of  program  equivalence.  An  operational  equivalence  relation  is 
determined  by  a  set  of  program  contexts  and  a  notion  of  indistinguishability  of  answers.  Two 
expressions  are  operationally  equivalent  if  in  all  relevant  contexts  they  give  indistinguishable 
answers.  Contexts  can  be  either  semantic  contexts  as  above  or  expressions  with  holes.  A 
denotational  equivalence  relation  is  determined  by  a  class  of  models.  Two  expressions  are 
denotationally  equivalent  if  they  have  the  same  denotation  in  all  models  under  consideration. 
A  program  equivalence  may  also  be  characterized  as  the  least  or  greatest  equivalence  relation 
satisfying  some  closure  conditions.  For  example  a  reduction  calculus  is  determined  by  a  set 
of  reduction  rules  and  the  induced  equivalence  is  the  congruence  closure  of  the  reduction 
rules. 


2.4.  Intensions 

As  a  tool  for  studying  intensional  aspects  of  computation  we  introduce  the  notion 
of  derived  computations.  Let  Dval  be  a  domain  of  derived  values.  Derived  states  are 
state-derived  value  pairs.  A  derived  computation  is  determined  by  a  derivor  map  D  G 
[St  X  St  x  Dval  Dval].  Rules  for  transitions  on  St  x  Dval  are  obtained  from  the 
basic  transition  rules  by  defining  <st,dval>  h*  <$t* ,  D(st,  stf,  dval)>  if  st  st*.  A  de¬ 
rived  evaluator  Dev  is  obtained  from  a  derived  computation  by  specifying  a  derived  answer 
domain  Dans  and  a  derived  unloading  operation  Dunld  G  [St  X  Dval  — ►  Dans].  Then 


Dev(exp,  ext,  dval)  =  dans  if  «ex p,  cxt>,  dval>  A  <st,dval'>  for  some  final  st  such  that 
Dunld (st,dval')  =  dans.  As  with  the  standard  evaluator  we  can  abstract  from  the  state 
transition  definition  and  also  provide  a  basis  for  developing  computable  approximations. 
Reference  counting  and  cost  analyses  can  be  explained  by  derived  computations.  Several 
examples  of  derived  computations  are  worked  out  in  [Talcott  86]. 

If  we  want  to  reason  about  occurrences  of  expressions  we  can  replace  expressions  by 
labels  together  with  a  map  fetch  from  labels  to  a  pair  consisting  of  a  tag  and  a  label 
sequence.  A  tag  is  either  app,  Avar,  a  constant,  or  a  variable  and  the  label  sequence 
labels  subexpression  occurrences.  Transition  rules  are  modified  accordingly.  For  example  if 
fetch(lab)  =  (app,  [lab0,  labx])  then  <lab,  env ,  cnt>  w  <lab0,  env, appi (labx,env,  cnt)>. 


3.  Towards  an  algebraic  theory 

To  make  the  algebraic  aspects  of  our  theory  explicit  we  work  with  programming  lan¬ 
guage  algebras  (PL  algebras).  Following  [Broy,  et.  al.  1987]  our  PL  algebras  specify 
syntactic  and  semantic  entities  in  a  single  (partial)  algebraic  theory.  The  theory  has  a 
kernel  which  is  elaborated  and  refined  in  various  ways.  In  the  algebraic  setting  these  can 
all  be  thought  of  as  operations  on  theories.  Some  operations  change  the  theory  while  some 
only  change  the  presentation.  Most  operations  are  naturally  determined  by  local  features. 
Operations  illustrated  above  include:  adding  new  semantic  domains,  adding  summands  to 
domain  equations,  adding  components  to  structures,  restructuring  —  replacing  states  by 
expression-context  pairs  or  replacing  expressions  by  locations  plus  the  fetch  map,  addition 
of  transition  rules,  and  lifting  of  transition  rules  on  enriched  states. 

To  study  program  equivalence  we  need  mechanisms  for  specifying  classes  of  program 
contexts,  notions  of  indistinguishability  of  answers,  and  classes  of  models.  We  also  need 
mechanisms  for  handling  reduction  rules,  for  expressing  closure  operations  such  as  congru¬ 
ence,  transitive,  and  equivalence,  and  more  generally  for  forming  least  or  greatest  relations 
satisfying  certain  conditions.  We  also  need  tools  for  reasoning  with  and  about  the  resulting 
relations  based  on  the  form  of  definition.  One  goal  of  our  generalized  algebraic  framework 
is  to  obtain  a  deeper  understanding  of  operational  equivalence  by  examining  richer  classes 
of  observing  contexts.  Thus  it  will  be  of  interest  to  consider  non-reachable  models  and 
families  of  models  parameterized  by  classes  of  primitive  operatations. 

To  provide  tools  for  program  analysis  we  need  tools  for  abstracting  and  encapsulating 
various  levels  of  specification,  for  instantiating  to  particular  interpretations,  for  refining  an 
interpretation,  and  for  relating  different  interpretations.  This  suggests  treating  abstractions 
of  specifications  and  descriptions  of  particular  interpretations  as  first  class  objects  with  tools 
for  doing  “algebra-in-the-large” .  In  many  cases  we  need  to  focus  attention  on  particular 
models  by  specifying  additional  axioms  and  model-theoretic  constraints  such  as  initiality, 
finality,  reachability.  Thus  a  formal  language  for  expressing  some  class  of  model-theoretic 
constraints  would  be  of  great  help. 

Finally  we  will  want  to  embed  PL  algebras  into  mechanized  reasoning  systems  to  fa¬ 
cilitate  semantics  based  formal  reasoning  about  programs.  In  particular  we  will  want  the 
ability  to  express  and  reason  about  general  first  order  or  even  higher  order  properties.  This 
is  a  challenge  both  to  algebraic  methods  and  to  builders  of  mechanized  reasoning  to  systems 
to  make  natural  embeddings  possible. 
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The  increasing  requirement  for  flexibility  and  efficiency  of  various  complex  programming 
applications  demand  the  new  programming  languages  to  be  extensible.  The  existing  lan¬ 
guage  extension  methods  allow  only  static  extensibility  of  programming  languages.  These 
methods  are  restricted  to  be  static  by  language  implementation  by  means  of  syntax- 
oriented  compilers  and  hence,  they  do  not  allow  dynamic  changes  (i.e.  adaptation  or 
extension  of  the  language  according  to  the  real  needs  of  the  language  user). 

The  dynamic  extension  of  programming  languages  is  not  a  new  problem.  However, 
its  actual  solution  and  implementation  on  specific  cases  have  not  been  fully  explored. 
This  is  due  to  the  fact  that  the  language  extension  is  very  complex  and  difficult  to  apply 
in  the  environment  of  language  specification  by  grammar  and  syntax-directed  compiler 
implementation  controlled  by  derivations  using  the  specification  grammar.  We  will  sketch 
in  this  paper  a  model  for  language  extensibility  based  on  the  dynamic  extension  of  the 
language  semantics  in  an  environment  in  which  language  specification  rules  are  interpreted 
as  operation  schemes  of  an  algebra  rather  then  rewriting  rules  of  a  context-free  grammar. 

The  mathematical  machinery  providing  support  for  the  design  of  programming  lan¬ 
guage  semantics  is  the  HAS  hierarchy  [Rus83].  The  HAS  hierarchy  allows  the  creation  of  a 
formal  mechanism  for  the  specification  of  the  concept  of  an  hierarchical  abstract  computing 
system.  The  objects  that  belong  to  such  an  abstract  computing  system  are  represented  as 
formal  expressions  which  are  organized  into  an  algebra  of  words  W  [Gra68],  [Pur 77]  and 
can  be  constructed  dynamically  following  a  hierarchy  of  layers[Rus83],  each  layer  being 
constructed  on  top  of  the  previous  layers  of  the  hierarchy.  Therefore,  the  concept  of  an 
abstract  computing  system  is  considered  here  as  the  mathematical  support  for  dynamic 
specification  of  the  semantics  of  a  programming  language.  It  is  is  specified  by  means  of  a 
hierarchy  of  heterogeneous  algebras. 

A  heterogeneous  algebra  is  a  triple 

A  =  {D,XS,F} 

where  D  is  the  set  of  primitive  and  composed  computing  objects,  25  is  the  operation 
scheme  set,  consisting  of  primitive  and  composed  operation  schemes,  while  F  is  the  func¬ 
tion  which  associate  to  each  operation  scheme  o  €  25  a  computing  operation.  The 
assumption  is  that  the  carrier  D  of  the  algebra  A  is  a  family  of  sets  D  =  {.D»|t  = 
0,1,... n}  and  the  operation  schemes  in  25  can  be  organized  into  a  hierarchy  25  = 


(fiAS(O) ,  HAS(  1), . . . ,  HAS{p)}  such  that  if  a  €  £AS(0)  then  F{o)  is  a  nullary-operation, 
that  is,  F{a)  is  a  constant  in  a  set  Dh  0  <j<n.  For  each  *  >  0,  if  a  €  HAS  (*'),  F(a)  has 
as  the  domain  a  direct  product  of  sets  used  as  ranges  of  the  operations  associated  with 
the  operation  schemes  in  HAS(i  —  1), . . .  ,HAS(0)  and  as  the  range  a  set  already  used  as 
the  range  of  operations  in  HAS{i  - 1), ... ,  FA5(0),  or  a  new  set  of  D  not  yet  used  as  the 
range  of  any  other  operation. 

The  computation  behavior  of  each  operation  associated  with  the  operation  schemes  as 
shown  above  is  specified  by  a  collection  of  specific  formal  identities. 

The  objects  of  the  abstract  computing  system  are  represented  as  formal  expressions 
organized  into  a  heterogeneous  algebra  of  words 

W(V)  =  {^,E5,F} 

where  V  is  a  set  of  symbols  used  to  denote  constants  of  the  computing  system  and  for 
each  a  €  ES,  F(o)  is  a  rule  of  word  formation  under  the  restrictions  specified  above  for 
the  algebra  A. 

The  notion  of  semantics  dynamic  extensibility  is  expressed  by  the  dynamic  character  of 
the  algebras  A  and  W.  It  allows  dynamic  definition  of  new  operations  in  A  which  supply 
new  dynamic  expression  forms  in  W .  Since  A  and  W  are  two  similar  algebraic  structure, 
their  dynamic  extensibility  are  related  by  homomorphisms  /  :  A  —*  W  and  e  i  TV  —*  A  such 
that  /  =  e~l  and  e  =  f~l.  The  construction  of  these  homomorphisms  can  be  sketched 
as  follows:  Since  W  is  an  initial  algebra  of  the  class  of  algebras  specified  by  E S  there 
exists  a  unique  homomorphism  h  :  W  — ►  A  that  coincides  with  a  function  e  :  V  ►  D 
on  the  generator  set  V.  On  the  other  hand  any  surjective  function  defined  on  the  free 
generators  of  the  carrier  of  the  semantic  algebra  and  taking  values  in  the  free  generators 
of  the  algebra  W  can  uniquely  be  extended  to  an  homomorphism.  It  can  be  shown  that 
this  homomorphism  is  an  inverse  of  the  homomorphism  obtained  by  extending  e  to  the 
homomorphism  e*  :  W  — ►  A  that  evaluates  the  free  generators  of  W  to  the  values  they 
denote  and  conversely.  Moreover,  this  property  is  preserved  by  dynamically  extending  the 
original  heterogeneous  algebras  A  and  W  by  taking  their  carriers  as  index  sets  of  the  family 
of  sets  supporting  a  new  level  of  heterogeneous  algebras.  Since  the  carrier  of  a  programming 
language  algebra  has  a  finite  set  of  generator  classes,  this  construction  can  be  used  to  put 
together  the  syntax  algebra  and  the  semantics  algebra  of  a  programming  language  into  a  a 
programming  language  specified  by  a  pair  of  algebras  related  as  above  and  to  organize  them 
into  a  hierarchy  of  layers.  Thus,  the  process  of  dynamic  extension  of  the  expression  forms  of 
an  algebra  can  directly  be  applied  to  the  dynamic  extension  of  the  programming  language 
semantics.  An  application  of  this  result  is  shown  in  the  context  of  Clear  specification 
language  in  [Bur80].  We  illustrate  this  application  developing  a  semantics  model  of  a 
Pascal-like  programming  language  expressed  in  terms  of  its  representation  in  a  machine 
meant  to  implement  it.  This  is  done  by  layering  of  the  language  algebras  on  the  following 
levels: 

•  Let  Do  be  the  set  of  primitive  data  types  of  a  programming  language.  This  set  can 


be  organized  as  an  algebra 


At  =  {Do,  Ho,  Fq'.Q  o  — 1} 

where  H0  is  the  set  of  symbols  denoting  nullary-operations  defined  on  the  carrier 
set  of  the  primitive  data  types,  F0  is  the  function  that  associates  to  each  a  €  H0 
its  memory  representation  length  in  standard  units  (bytes,  words,  etc),  while  I  is  a 
subset  of  natural  numbers.  The  set  I  will  be  taken  as  the  index  set  of  the  next  level 
of  the  language  hierarchy. 

The  level  1  of  the  language  hierarchy  is  defined  using  the  level  0  as  the  selector  set 
for  the  domain  of  the  operations  on  level  1  and  has  the  form: 

A\  =  {Pi  =  {P«|*  €  /},  (ES^oeno-Fo  : 


where: 

—  Pi  represents  a  partitioning  of  Do  into  classes  of  data  types,  the  partitioning 
criterion  being  the  representation  length. 

—  E  S0  is  the  set  of  operation  schemes  providing  the  definition  of  the  new  types  of 
objects  in  terms  of  objects  of  level  0. 

—  Fq  is  a  function  specifying  the  domain  and  the  range  of  all  operation  schemes  of 
the  new  operations  while  F\  is  the  function  that  associates  the  new  operation 
schemes  with  computation  rules. 

In  order  to  define  the  level  2  of  the  language  hierarchy  one  must  consider  the  man¬ 
ner  of  data  interpretation.  This  is  performed  by  considering  the  following  algebra 
specifying  the  semantics  of  level  2: 

A2  =  {P2  =  {DtJ\i  €  NJ  <E  M},  (E S0.J,F2  :  Px  x  M  -  N  x  M,F'2) 


where: 

-  Dij  represents  the  carrier  of  the  t-th  length  data  type  interpreted  in  the  j- 
manner. 

-  E50<. .  is  the  set  of  operations  schemes  of  the  new  language  level. 

-  F2  specifies  the  index  set  of  the  carrier  P2  of  the  level  2  of  the  language  algebra 
while  F2  is  the  function  that  associates  each  operation  scheme  o  €  E  S0{  j  and  a 
j-manner  of  interpretation  with  a  heterogeneous  operation  specific  to  the  level 
2  of  the  hierarchy. 

-  The  set  M  contains  possible  manners  of  interpretation  while  the  set  N  contains 
possible  interpretation  lengths. 


•  The  level  three  of  the  language  algebra  hierarchy  is  specified  by 


A*  =  {Ds  =  {Di\i€l},('XSi),Fi} 


which  allows  the  definition  of  certain  type  constructors  for  the  introduction  of  the 
Pascal  like  data  types  record,  file,  set.  This  level  of  the  language  algebra  hierarchy 
will  preserve  the  carrier  of  the  preceding  level  and  will  enrich  it  with  new  operations 
characteristic  to  the  newly  defined  data  types. 

The  mathematical  machinery  developed  in  [Rus83]  under  the  name  of  Heterogeneous 
Algebraic  Structures,  HAS-hierarchy,  models  the  construction  of  the  new  types  of  objects 
and  allows  the  dynamic  extension  of  a  language  algebra  on  a  practical  unlimited  number  of 
layers.  The  construction  of  the  new  layers  of  computing  objects  supported  by  the  language 
depends  only  on  the  types  of  objects  required  by  the  application  and  the  imagination 
and  the  ability  of  its  constructor.  The  application  of  this  mathematical  machinery  for 
language  development  allowing  dynamic  language  extensibility  according  to  the  language 
user  computing  needs  is  shown  in  [Rus88]. 
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The  Tnai-n  question  addressed  in  this  talk  is: 

What  is  a  logic? 

that  is,  how  should  general  logics  be  axiomatized?  The  talk,  based  on  a  recent  paper 
of  mine1,  proposes  a  specific  axiomatic  answer  to  this  question  and  applies  that  answer 
to  obtain  axioms  for  logic  programming. 

Beyond  their  application  to  logic  programming,  the  axioms  given  here  for  a  logic  are 
sufficiently  general  to  have  wide  applicability  within  logic  and  computer  science.  The 
connections  between  these  two  fields  are  growing  rapidly  and  are  becoming  deeper. 
Besides  theorem  proving,  logic  programming,  and  program  specification  and  verifi¬ 
cation,  other  areas  showing  a  fascinating  mutual  interaction  with  logic  include  type 
theory,  concurrency,  artificial  intelligence,  complexity  theory,  databases,  operational 
semantics  and  compiler  techniques.  The  concepts  presented  in  this  talk  are  moti¬ 
vated  by  the  need  to  understand  and  relate  the  many  logics  currently  being  used  in 
computer  science,  and  by  the  related  need  for  new  approaches  to  the  rigorous  de¬ 
sign  of  computer  systems.  Therefore,  this  work  has  goals  that  are  in  full  agreement 
with  those  of  J.A.  Goguen  and  R.  Burstall’s  theory  of  institutions;  however,  it  ad¬ 
dresses  proof-theoretic  aspects  not  addressed  by  institutions.  In  fact,  institutions  can 
be  viewed  as  the  model-theoretic  component  of  the  present  theory.  The  main  new 
contributions  include  a  general  axiomatic  theory  of  entailment  and  proof,  to  cover  the 
proof-theoretic  aspects  of  logic  and  the  many  proof-theoretic  uses  of  logic  in  computer 
science;  they  also  include  new  notions  of  mappings  that  interpret  one  logic  (or  proof 
calculus)  in  another,  an  axiomatic  study  of  categorical  logics,  and  the  axioms  for  logic 
programming. 


*  Supported  by  Office  of  Naval  Research  Contracts  N00014-82-C-0333  and  N00014-86-C-0450,  NSF 
Grant  CCR-8707155  and  by  a  grant  from  the  System  Development  Foundation. 

1  “General  Logics”  in:  H.-D.  Ebbinghaus  et  al.  (eds.)  Proc.  Logic  CoUoquium’87,  North-Holi  and, 
1989. 
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1.  Background 

The  theory  and  practice  of  specification  languages  for  data  communications  protocols  and  services 
(often  called  Formal  Description  Techniques  or  FDTs)  has  been  the  object  of  much  recent 
interest  Formal  and  exact  specifications  of  protocols  and  services  are  usefiil  in  every  phase  of 
the  protocol  development  life-cycle.  Even  more,  they  are  essential  for  protocols  and  services  that 
are  international  standards,  meant  to  be  implemented  in  compatible  ways  across  the  world.  The 
specification  must  capture  those  features  of  an  implementation  that  are  necessary  for  it  to  be  able 
to  communicate  with  other  implementations.  Therefore,  it  is  important  that  the  specification  be 
precise  and  implementation-independent 

The  International  Organization  for  Standardization  (ISO)  has  been  developing  over  the  years  a 
family  of  standardized  data  communications  protocols,  called  OSI  (Open  Systems  Interconnec¬ 
tion).  At  the  very  beginning  of  this  effort  it  was  recognized  that  in  order  for  OSI  to  be  a  real 
standard,  it  was  necessary  to  provide  it  with  an  appropriate  FDT,  in  which  OSI  standards  could 
be  specified.  An  international  committee  (of  which  the  author  of  this  paper  is  a  member)  set  out 
to  produce  such  a  standard  FDT,  and,  some  years  later,  the  language  LOTOS  has  now  become  an 
International  Standard  [ISO].  Interestingly  enough,  the  language  is  turning  out  to  be  very 
appropriate  not  only  for  OSI  protocols  and  services,  but  also  for  a  wide  family  of  distributed  sys¬ 
tems.  In  this  paper,  we  intend  to  offer  a  very  brief  overview  of  the  basic  philosophy  of  LOTOS 
and  of  research  work  being  carried  out  around  it  Much  additional  information  on  LOTOS  can  be 
found  in  [WD][ISO],  and  in  the  annual  series  of  Proceedings  Protocol  Specification,  Testing  and 
Verification,  published  by  North  Holland. 

2.  LOTOS  Principles 

LOTOS,  the  Language  of  Temporal  Ordering  Specifications,  is  one  of  the  most  precisely  defined 
languages  in  use  today.  Its  static  semantics  are  defined  by  an  attributed  grammar,  while  its 
dynamic  semantics  are  based  on  algebraic  concepts.  LOTOS  is  made  up  of  two  components:  a 
data  type  component,  which  is  based  on  the  algebraic  specification  language  ACT  ONE  [EM], 
and  a  control  component,  which  is  based  on  a  clever  mixture  of  Milner’s  CCS  [M]  and  Hoare’s 
CSP  [H].  Most  of  the  theoretical  framework  of  the  control  component,  and  especially  the  concept 
of  internal  action  are  based  on  Milner’s  work.  In  particular,  non-determinism  is  modelled  by 
internal  actions  as  in  [M]  rather  than  by  adding  special  operators  as  in  [H].  The  rendez-vous 
semantics  follow  Hoare’s  "multi-way  rendez-vous"  concept,  by  which  all  processes  that  share  a 
gate  must  participate  in  a  rendez-vous  on  that  gate.  Actions,  however,  can  be  transformed  into 
internal  actions  by  hiding  them.  In  this  way,  Anther  participation  in  the  action  of  processes  out¬ 
side  the  hide  is  prevented. 

LOTOS  dynamic  semantics  for  the  control  component  is  expressed  in  operational  terms  by  infer¬ 
ence  rules  as  in  [M],  and  the  operators  were  chosen  in  such  a  way  that  it  has  been  possible  to 
prove  about  them  a  rich  set  of  algebraic  properties,  similar  to  those  of  [M].  Therefore,  the 
language  is  at  the  same  time  "executable"  (by  virtue  of  the  operational  semantics),  and  amenable 
to  proof  techniques  (by  virtue  of  the  algebraic  properties). 

The  language  is  purely  recursive  in  nature,  without  side  effects.  It  supports  process  parameteriza¬ 
tion,  where  it  is  possible  to  specify  both  value  and  gate  parameters. 

Some  of  the  most  important  operators  of  the  control  part  are:  []  (choice),  |[A]|  (parallel  execution 
with  synchronization  via  gates  in  set  A),  ||  (parallel  execution  with  synchronization  on  all  gates), 
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Ill  (parallel  execution  in  interleave),  hide  (hiding  of  gates),  »  (sequential  composition  of 
processes),  and  [>  {disable,  modelling  a  nondeterministic  interruption). 

The  data  part  supports  parameterized  types,  type  renaming,  and  conditional  rules. 

Because  of  the  fact  that  LOTOS  is  made  up  of  what  its  designers  viewed  as  the  most  valid  parts 
of  CCS  and  CSP,  the  language  has  considerable  expressive  power.  It  favors  a  highly  structured 
specification  style  and  top-down,  as  well  as  bottom-up,  design.  For  example,  following  some 
ideas  already  present  in  [H],  "constraint-oriented"  specifications  are  possible  in  LOTOS,  i.e.  a 
specification  can  be  designed  as  a  collection  of  processes  each  one  of  which  imposes  its  own  log¬ 
ical  constraints  on  the  overall  system  behavior  (this  turns  out  to  be  a  powerful  way  to  impose 
"separation  of  concerns").  Other  styles,  useful  for  different  purposes  (e.g.,  implementation 
specification,  state-oriented  specification,  etc.)  are  also  possible,  and  a  theory  of  how  to  transform 
a  specification  style  into  another  is  being  developed. 

3.  Executability  of  LOTOS  Specifications  and  LOTOS  Tools 

Because  of  the  fact  that  LOTOS  is  (partially)  executable,  a  specification  is  effectively  a  "fast  pro¬ 
totype"  of  the  entity  specified,  thus  it  is  possible  to  exercise  a  specification  of  a  complex  system 
at  the  design  stage.  This  means  that  design  errors  can  be  found  much  earlier  in  the  software 
development  cycle  than  with  other  techniques. 

The  two  LOTOS  interpreters  in  existence  today  are  described  in  |L][GHL][WD]. 

4.  Verification  in  LOTOS 

It  is  possible  to  carry  out  in  LOTOS  proofs  such  as  the  ones  found  in  [M][H],  and  the  proof 
methods  are  similar  to  those  found  in  these  references.  The  best  developed  proof  techniques 
involve  the  concept  of  "bisimulation"  [P][B1].  Proof  methods  based  on  the  concepts  of  "traces" 
and  "refusal  sets"  [H]  are  also  being  considered.  Unfortunately  however,  because  of  the  presence 
of  internal  actions,  some  of  the  proof  methods  developed  for  CSP,  such  as  fixpoint  induction 
methods,  do  not  seem  to  be  applicable  to  LOTOS. 

An  important  open  problem  is  to  find  a  unified  verification  framework  for  both  the  control  and 
the  data  part 

Of  course,  the  challenging  aspect  is  to  be  able  to  prove  properties  of  systems  of  realistic  size.  To 
this  end,  computer-assisted  verification  tools  are  being  envisioned. 

5.  A  Theory  of  Implementation  and  Testing 

A  rich  formal  theory  of  implementation  and  testing  is  being  developed  around  LOTOS  [BB][B]. 
This  means  that  the  relation  "I  is  an  implementation  of  S"  is  formally  defined  for  two  expressions 
I  and  S.  This  formalization  is  given  by  the  reduction  relation,  where  I  reduces  S  if:  i)  I  can  only 
execute  actions  that  S  can  execute  and:  ii)  I  can  only  refuse  actions  that  can  be  refused  by  S. 
Intuitively,  I  can  be  more  deterministic  than  S,  and  can  contain  fewer  options.  In  other  words,  in 
LOTOS  the  abstraction  of  a  specification  with  respect  to  the  implementation  is  represented  by  a 
higher  level  of  nondeterminism. 

Similarly,  the  relation  A  and  B  are  testing  equivalent  [DH]  has  been  formally  defined  as:  A 
reduces  B  and  B  reduces  A.  Roughly  speaking,  two  specifications  are  testing  equivalent  if  their 
externally  observable  behaviors  are  identical.  This  corresponds  to  the  failure  equivalence  of 
Hoare  [H],  By  using  these  concepts,  it  is  possible  to  derive  implementations  and  test  cases  in  a 
formal  way  from  a  LOTOS  specification. 

It  must  be  observed,  however,  that  so  far  these  concepts  have  been  fully  developed  for  restricted 
forms  of  the  language  only. 

6.  LOTOS  in  Practice 

Specifications  of  real-life  systems  of  thousands  of  lines  have  been  written  in  LOTOS.  Some  of 
these  are  on  their  way  towards  becoming  part  of  ISO  International  Standards.  Some  examples 
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are:  several  OSI  layers  (Network,  Transport,  Session),  specifications  of  telephone  systems  [FLS], 
etc.  (in  addition  of  course  to  all  best  known  "textbook"  examples  such  as  the  Alternating  Bit  Pro¬ 
tocol,  the  Dining  Philosopher’s  problem,  etc.).  Several  such  examples  are  included  in  [VVD]. 
The  language  is  starting  to  be  used  in  industrial  environments,  and  the  results  appear  to  be  quite 
promising. 


7.  A  LOTOS  Example 

The  following  example,  adapted  from  [BB],  is  a  LOTOS  specification  for  an  entity  which  is  able 
to  accept  three  natural  numbers  in  any  order  and  stops  after  printing  the  largest  of  them. 


01  specification  Max3[inl,in2,in3,out]  :  noexit 

02  type  integer  is 

03  sorts  int 

04  opns 

05  zero  :  ->  int 

06  succ  :  int  ->  int 

07  largest  :  intent  ->  int 

08  eqns  forall  X,Y:  int  ofsort  int 

09  largest  (  zero  ,  X  )  =  X; 

10  largest  (  X  ,  zero  )  =  X; 

11  largest  (  succ(X)  ,  succ(Y)  )  =  succ  (  largest(X,Y)  ); 

12  endtype 


13 

14 

15 

16 

17 

18 
19 


behavior 

hide  mid  in 

( 

Max2  [inl,in2,mid] 
|[mid]| 

Max2  [mid,in3,out] 

) 


20 

21 

22 

23 

24 

25 

26 

27 

28 
29 


where 

process  Max2  [vall,val2,max]  :  noexit  := 

(  vall?X:int;  exit(X,  any  int) 

II! 

val2?Y:int;  exit(any  int,  Y) 

) 

»  accept  V:  int,  W:  int  in 
max!largest(V,W);  stop 

endproc 

endspec 


The  specification  is  to  be  read  as  follows: 

Lines  2  to  12  define  the  type  integer  with  its  associated  operation  largest .  This  is  done  according 
to  the  semantics  of  [EM].  Of  course,  the  standard  LOTOS  library  contains  all  these  definitions, 
so  normally  the  user  will  include  them  by  invoking  the  library. 

Lines  14  to  19  describe  the  top  structure  of  the  specification,  which  consists  of  two  instantiations 
of  process  Max2.  The  latter  is  capable  of  finding  the  largest  of  two  numbers,  read  in  any  order 
from  gates  vail  and  val2,  and  outputting  it  on  gate  max.  As  the  two  copies  of  Max2  are  instan¬ 
tiated,  their  gates  are  renamed  respectively  ini,  in2,  mid,  and  mid,  in3,  out ,  resulting  in  the  fact 
that  the  output  value  computed  by  one  copy  is  fed  to  the  other  over  gate  mid.  Note  that  mid  is 


hidden,  because  it  is  meant  for  internal  communication  between  the  two  instances  of  Max2  only. 

Lines  21  to  28  describe  process  Max2.  It  allows  interleaving  between  the  input  actions  on  gates 
vail  and  val2.  Both  values  input  are  then  forwarded  to  the  action  on  line  27,  which  calculates 
the  largest  of  them  and  inputs  it. 

Lines  22  to  27  could  also  be  written  as  follows: 


vall?X:int;  val2?Y;  max!largest(X,Y);  stop 

D 

val2?Y:int;  vall?X;  max!largest(X,Y);  stop 


and  the  equivalence  between  the  two  specifications  could  be  proved  easily  by  using  the  simplest 
rules  of  bisimulation. 
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INTRODUCTION 

One  of  the  most  difficult  problems  in  the  design  and  verification  of  distributed  systems  is  the  devel¬ 
opment  of  an  appropriate  notion  of  abstraction.  In  the  last  few  years,  the  process  algebra  approaches 
of  Milner[l],  Hennessy[2-3],  DeNicola[4-5],  Bergstra  and  Klop(6|,  and  Brookes,  Hoare,  and  Roscoe[7] 
have  made  substantial  progress  in  this  area.  This  paper  explores  the  use  of  many  concepts  from  the 
theory  of  process  algebras  within  the  more  traditional  framework  of  abstract  data  types  [8-9]. 

Distributed  data  types  (DDTs)  arise  naturally  in  a  variety  of  situations  in  which  a  distributed  sys¬ 
tem  can  be  viewed  a  single  object.  The  distributed  nature  of  such  objects  manifests  itself  through 
spontaneous,  internal  operations  which  may  alter  the  object’s  externally  visible  behavior.  Formally, 
we  define  a  DDT  as  a  heterogeneous  algebra  supplemented  by  such  internal  operations.  In  our 
approach,  a  distributed  system  is  first  specified  as  a  single  DDT,  then  modeled  as  a  family  of  dis¬ 
tributed  objects  (which  are  in  turn  specified  as  DDTs)  and  processes  which  act  upon  these  objects. 
Verification  consists  of  showing  that  the  model  correctly  implements  the  specification  by  offering 
only  behaviors  that  are  more  deterministic  than  those  allowed  by  the  specification. 

This  procedure  may  be  repeated  for  each  distributed  data  type  used  in  the  model,  allowing  stepwise 
refinement  of  the  specification  to  any  level  of  detail.  At  each  step,  the  complexity  of  analysis  (e.g., 
state  space  explosion)  is  controlled  through  elimination  of  internal  operations  which  do  not  alter  the 
observable  behavior  of  the  object. 

DISTRIBUTED  DATA  TYPES 

We  first  extend  the  traditional  definition  of  a  signature  [8-9]  to  accommodate  the  notion  of  objects 
which  may  alter  their  behavior  through  spontaneous  internal  operations. 

Definition  1  An  S-sorted  distributed  signature  E  =<  S,  F,  J  >  consists  of 

•  a  set  S  of  sort  names. 

•  a  family  FW(J  of  sets  of  external  operation  names,  where  w  €  S*  and  s  €  S.  For  convenience, 
/  €  FWt,  is  depicted  as  /  :  3%  x  . . .  X  sn-*e  where  w  *  sx , . . . ,  sn,  and  F  is  taken  to  be  Uv,# FWf#. 

•  a  family  /«  of  sets  of  internal  operation  names,  where  s  €  S.  Again,  *  €  1$  is  depicted  as 
i  :  s— >s  and  I  is  taken  to  be  Ut/i. 

Example  1  The  signature  of  a  distributed,  bounded  queue  of  length  3  may  be  given  as  E  =<  S,  F,  I  > 
where  S  =  {queue,  item}  and 

F  =  {  nq  :  — *  queue,  enq  :  queue  X  item  — ►  queue , 

deq  :  queue  — ►  queue ,  next :  queue  — ►  item } 

I  =  {  n  :  queue  — ►  queue ,  vx  :  queue  — *  queue} 

In  what  follows,  it  will  be  useful  to  compare  signatures  which  differ  only  in  their  internal  operations. 

Definition  2  Let  E  =<  S,  F,  J  >  and  E'  =<  S' ,  F ',  I'  >  be  S  and  S'  distributed  signatures.  Then 
E  C  E'  (read  E  is  contained  by  E')  if  S  =  S',  F  =  F',  and  I$  C  Vs  €  S. 

A  particular  DDT  is  specified  as  a  heterogeneous  E-algebra  supplemented  with  spontaneous  in¬ 
ternal  operations.  As  in  the  process  algebra  approach  [1-7],  interactions  between  a  DDT  and  its 
environment  are  synchronous  in  that  a  DDT  may  refuse  to  participate  in  an  inappropriate  operation. 
Refusal  of  an  operation  is  indicated  by  0,  and  we  adopt  the  convention  that  refusals  propagate,  Le., 
/(ai, . . . ,  an)  =  0  if  Oi  =  0  for  any  1  <  *  <  n. 


Ill 


Definition  3  Let  E  =<  S,  F,  I  >  be  an  S-sorted  distributed  signature.  Then  a  E-distributed  data 
type  (E-DDT)  A  consists  of: 

•  a  set  A,  for  each  a  €  S  (called  the  earner  of  A  of  sort  s). 

•  an  external  function  fA  :  Atl  x  . . .  x  A,n-+A.  U  {0}  for  each  /  6  Fw,t  where  w  =  zu . . . ,  sn. 

•  an  internal  function  iA  :  A,— ‘■A,  U  {0}  for  each  i  €  /«. 


Example  2  Let  ITEM  be  a  predefined  set  of  objects,  u  €  ITEM ,  and  x,  y,  z  €  ITEM  U  {A},  where 
A  is  a  special  symbol  not  in  ITEM  representing  the  absence  of  an  item.  A  particular  DDT,  A,  for  the 
signature  of  Example  1  then  consists  of  the  carriers  Aflueue  —  {<  *>y>*  >1  xtViz  €  ITEM  U  {A}}, 
Aitem  =  ITEM  with  operations 


«^() 

en^*(<  x,y,z  >,  u) 
deqA{<  x,  y,z>) 
nextA(<  x,y,z  >) 
riA{<x,y,z>) 
nA(<  x,y,z>) 


<  A,  A,  A  > 
<u,  y,z  > 

<  x,y,A  > 

z 

<  A ,x,z  > 
<x,X,y> 


if  x  —  \ ,  0  otherwise 
if  z  56  A,  0  otherwise 
if  zjk  A,  0  otherwise 
if  xjk\  and  y  =  A,  0  otherwise 
i  f  y  56  A  and  z  =  A,  0  otherwise 


BEHAVIORS 

As  described  earlier,  verification  of  a  distributed  system  consists  of  showing  that  the  DDT  generated 
by  a  model  of  the  system  correctly  implements  the  DDT  given  as  the  specification.  To  define  this 
more  rigorously,  we  introduce  the  concept  of  a  behavior. 

Definition  4  Let  X  =  {xi, . . . ,  xn}  be  a  set  and  let  Xq  —  X U  {0}.  Then 
1.  If  x  €  X(q  then  {x}  is  a  behavior  of  X  with  root({x})  =  x  and  jucc({x}) 

2. If  *  €  Al0  and  . . ,,0n  are  (0<  n  <  00)  distinct  behaviors  of  X,  then  {x, 0i, . . . , 0n}  is  a 
behavior  of  X  with  root({x,j8i,...,A»})  =  *  ^  =  {fil ,  •  •  •  1  fin}- 

Example  3  If  X  =  {a,  b,  c,  d}  then  {0},  {a},  {a,  {6}},  and  {0,  {a,  {0}},  {6}}  are  behaviors  of  X , 
while  {  },  {a,  6},  and  {a,  {0, 6>>  are  not  behaviors  of  X. 

Behaviors  are  simply  trees  in  which  some  of  the  nodes  may  be  a  refusal,  0,  and  define  how  the  result 
of  an  operation  may  change  over  time.  For  example,  {0,  {false},  {true}}  (read  refusal,  eventually 
false  or  true),  describes  the  behavior  of  an  operation  which  is  initially  refused  but  must  eventually 
return  either  the  value  false  or  true.  In  this  example,  the  refusal  is  referred  to  as  a  transtent  behavior 
while  false  and  true  are  referred  to  as  stable  behaviors.  Behaviors  may  also  be  finite  or  infinite.  In 
what  follows,  we  will  consider  only  finite  behaviors. 

Definition  5  Let  £bea  behavior  of  X.  Then  0  is  stable  if  succ{0)  =  0  and  transient  if  succ(0)  ^  0. 
0  is  finite  if  0  is  stable  or  if  V6  €  succ(0),b  is  finite. 

A  behavior  0  implements  a  behavior  0*  if  it  is  more  deterministic,  i.e.,  if  every  stable  behavior  of  0 
is  a  stable  behavior  of  0'  and  no  transient  behavior  of  0  contradicts  0'. 

Definition  6  Let  0  and  0‘  be  finite  behaviors  of  X.  Then  0Q0'  (read  0  implements  0')  if  any  of 
the  following  are  true 

1.  suec{0)  —  succ(0')  =  0  and  root{0)  =  root{0') 

2.  succ{0)  56  0  and  root{0)  =  root{0')  and  V6  €  suec{0),  bQ0' 

3.  suee{0)  ^  0  and  root(0 )  =  0  and  V6  €  suee(0),  bQ0' 

4. 36'  6  succ{0')  such  that  0  Q  b'. 

Implementation  is  a  preorder  (a  relation  which  is  reflexive  and  transitive)  over  behaviors  and  natu¬ 
rally  induces  an  equivalence  relation  (the  kernel  of  C )  over  behaviors  [3j.  Two  behaviors  are  said 
to  be  equivalent  if  they  implement  each  other. 


Definition  7  Let  0  and  0'  be  finite  behaviors  of  X.  Then  0  ~  0'  (read  0  is  equivalent  to  0‘)  if 
0Q  0'  and  0  3  0'- 

Example  4  {o}  ~  {a},  {6}C{a,  {6}},  {<*}Z{°>{&}}«  {®>{°}}  {°}i  {°>  {ai  {&}}}  ~  {a»  W}> 

{o,  {0,  {a},  {6}},  {6}}  ~  {o,  {a},  {6}},  {a,  {0,  {a},  {*>>,  {6}}  Z  {<*»  {<*}>  {&>  {<*}}} 

IMPLEMENTATIONS  OP  DDTs 

In  one  sense,  an  element  of  a  carrier  of  a  DDT  possesses  not  only  the  capabilities  explicitly  defined  for 
it,  but  also  those  of  all  objects  into  which  it  may  evolve  through  its  internal  operations.  Accordingly, 
we  associate  each  object  with  the  behavior  consisting  of  itself  and  those  objects  into  which  it  may 
evolve,  formally  given  in  Definition  8  as  the  behavior  returned  by  the  r  operator.  Note  that  such 
behaviors  contain  no  refusals.  If  every  behavior  generated  by  t  for  a  DDT  is  finite  (stable),  then 
the  DDT  is  said  to  be  finite  (stable). 

Definition  8  Let  A  be  a  E  =<  S,F,I>  DDT  and  let  o  6  A,.  Then 

r?(a)  =  {a}  U  {r?[iA{a))  \  i  €  I.  AiA{a)  *  0} 

If  (a)  is  finite  (stable),  a  is  finite  (stable).  If  1^(0)  is  finite  (stable)  Va  €  A„  A  is  said  to  be  finite 
(stable)  for  sort  s.  If  A  is  finite  (stable)  Vs  €  5,  A  is  said  to  be  finite  (stable). 

Example  5  In  the  DDT  of  Example  2, 

^  55  {<  U  *1  ^ 

=  {<  X,  A,  A  >}  U  {  {<  A,X,  A  >}  U  } 

“  {<  x,  A,  A  >}  U  {  {<  A,x,A  >}  U  {  {<  A,  A,x  >}  }  } 

**  {<  x,  A,  A  >}  U  {  {<  A,  x,  A  >,  {<  A,  A,  x  >}  }  } 

—  {<  x.  A,  A  >,  {<  A, x,  A  >,  {<  A,  A, x  >}}}• 

This  DDT  is  finite  bat  not  stable. 

Applying  an  operation  to  behaviors  also  results  in  a  behavior,  as  described  in  Definition  9.  Note 
that  behaviors  obtained  as  the  result  of  an  operation  may  contain  refusals. 

Definition  9  Let  A  be  a  finite  E  =<  S,FfI>  DDT,  /  :  sx  x  . . .  x  s»-*s  €  F,  and  ft  be  behaviors 
of  A9it  1  <  t  <  n,  such  that  ft  —  {6*, Then 

f*(filt . . . ,  ft*)  =  {  .  ..,  6*)  }  u  {  f*(fil  1  •  •  . ,  ft— 1*  r<,y,ft+X> . . . ,  fin)  |  ~  ttt} 

Example  6  Consider  the  distributed  queue  DDT  of  Examples  2  and  5. 

***** (*£«.e(<  *.  A  >))  =  next A ({<  x,  A,  A  >,  {<  A,  x,  A  >,  {<  A,  A,  x  >}}}) 

=s  {nexfr1*^  x,A,  A  >)}  U  {nexf*({<  A,  x,  A  >,  {<  A,  A,  x  >}})  } 

=  {0}  u  {  {ncxtA(<  A,x,A  >)}  U  {nextA({<  A,A,x  >})  }  } 

=  {0}  u  {  {0}  u  {  {»»«**"*(<  A,A,x  >)}  }  } 

=  {0}  U  { {0}  U  { {x} }  } 

=  {0}  U  {{0,{x}}} 

=  {0.{0.{*}}> 

Example  7  If  0t  =  {o,  {6},  {c}}  and  0i  =  {cf,  {«}},  then  (omitting  the  intermediate  steps) 

f(0it02)  —  {/(<*» d),  {f[b, d),{f[b, e)}},  {/(c>d),  {/(c, «)}},  {/(<*,  e),  {/(6,.e)},  {/(c,  e)}}} 

Traditionally,  one  data  type  is  said  to  be  implemented  by  another  if  there  exists  a  homomorphism 
from  the  implementation  to  the  specification.  We  extend  this  notion  to  DDTs  by  defining  a  homo¬ 
morphism  from  behaviors  of  the  implementation  to  behaviors  of  the  specification. 

Definition  10  Let  A  be  a  finite  E^-DDT  and  B  be  a  finite  SB-DDT  such  that  Es  C  £A.  Then  an 
implementation  homomorphism  $  :  A — *B  is  a  family  of  functions  <  5  A, — *B,  >*gs  such  that 


for  all  /  :  &\  X  ...  X  sn — 6E  F  and  all  <  &$x > • • « >  £•»  ^  ^  X  ...  X  A0n 

*. (fA «  (a.J . < («•.)))  ^  fB  (rf, (*.»  («.,))>  •  •  • .  *f. (*«. (<*..))) 

where  <bt  (0)  =  0  Vs  €  S.  If  *  preserves  ~  rather  than  C ,  then  *  is  said  to  be  an  equivalence 
homomorphism. 


The  existence  of  an  implementation  homomorphism  guarantees  that  an  implementation  can  exhibit 
only  behaviors  which  are  more  deterministic  than  the  behaviors  allowed  by  the  specification.  If 
A  implements  B,  then  A  may  be  safely  substituted  for  B  in  any  larger  context.  An  equivalence 
homomorphism  guarantees  that  an  implementation  can  exhibit  all  the  behaviors  allowed  by  the 
specification,  and  vice-versa.  If  A  is  equivalent  to  B,  then  A  may  be  substituted  for  B  and  B  may 
be  substituted  for  A  in  any  larger  context. 


Example  8  Let  A  be  the  distributed  queue  DDT  of  Examples  1  and  2.  Let  B  be  a  stable  queue  of 
length  3  (Le.,  a  DDT  with  no  internal  operations)  such  that  B  has  the  same  signature  as  A  except  that 
Xjuetie  =  Let  the  carriers  of  B  be  Bquev,  =  {w  |  ti>  €  ITEM*,  \  w  |  <3}  and  =  ITEM,  and 
the  operations  of  B  be 

nTS( )  =  A  . 

enq*(ti;,u)  =  uw  if  \  w  |  <  3,  0  otherwise 

deq 8  (ts)  =  to'  if  to  =  to'u,  0  otherwise 

next8  (to)  =  u  if  w  =  to'u,  0  otherwise 

where  A  is  the  empty  string,  to  €  ITEM*  such  that  |  to  |  <  3,  and  u  €  ITEM.  Then  $,„«,«(<  *,  V ,*>)  =  W 

and  ${tem(u)  =  u  is  an  equivalence  homomorphism  from  A  to  B.  For  example,  making  use  of  the 

results  of  Example  6  we  have 


n(nextA(r^mt<(<  *,A,A  >)))  = 


{*}}}) 

{<2 {*}}} 

{*}  . 

{ next 8  (*)} 

nex^ilx}) 

nex^lr8^!)) 

next8 (^miw x,  A,  A  >))) 


Similar  results  hold  for  all  possible  operations  and  arguments,  establishing  that  a  distributed  queue 
of  length  3  is  equivalent  to  a  stable  queue  of  length  3.  In  verifying  any  larger  system  incorporating 
a  distributed  queue,  this  allows  us  to  substitute  the  stable  specification  to  simplify  the  analysis. 
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Abstract:  In  this  paper  the  problem  of  sequential  Fortran  restructuring  is  considered.  The 
need  of  reusing  the  large  amount  of  scientific  programs  written  in  sequential  Fortran  captured  the 
attention  of  various  computer  scientists  since  the  arrival  of  parallel  computers.  This  problem  needs  a 
good  abstract  approach  in  order  to  provide  an.intelligent  software  package  which  can  automatically 
execute  the  task..  In  this  paper  the  case  of  subroutine  dependences  is  considered.  A  formal 
mathematical  model  based  on  the  discrete  event  system  theory  is  first  introduced.  Futher  results 
are  obtained  bNased  on  this  model.  The  recurrence  property  of  the  model  suggested  to  approach  the 
implementation  through  a  logic  programming  technique.  An  expert  system  shell  was  used  to  easy  the 
implementation.  Practical  results  and  a  demonstration  package  resulted. 

1  .INTRODUCTION 

The  increasing  interest  in  parallel  computers  and  their  capabilities  to  speed-up  the  execution  of 
computational  intensive  scientific  programs  generated  an  accrued  research  to  support  programmers 
with  more  enhanced  programming  tools. 

Scientific  programming  characterized  by  a  high-level  of  floating-point  computation  usually  uses 
Fortran  programs  to  implement  a  requested  algorithm.  A  lot  of  already  available  sequential  code  must 
be  reconsidered  and  rewritten,  or  in  other  words  restructured  [1],  in  order  to  be  executed  in  a  parallel 

environment.  .... 

There  are  commonly  available  computers  [1],  [2],  [5]  which  vectorize  the  code  written  m 
standard  Fortran.  The  compiler  attempts  to  convert  the  innermost  loops  to  vector  operations. 

Even  though  great  progress  has  been  made  in  automatic  code  restructuring,  the  only  automatic 
system  available  to  date  is  limited  to  individual  loops  [1].  The  analysis  of  parallelism  in  independent 
nested  DO  loops  has  been  also  reported  [8].  Parallelism  at  a  larger  granularity  must  be  explicitly 
specified  by  the  programmer  [1]. 

In  this  respect,  programming  environments  that  could  help  a  programmer  to  develop  explicitly 
parallel  programs  are  or  have  been  under  research  [1],  [3]  for  specific  architectures. 

In  order  to  efficiently  use  a  parallel  multiprocessor  system  it  is  necessary  not  only  to  achieve  the 
fine-grain  parallelism,  through  the  DO  loop  vectorization,  but  also  the  coarse-grain  parallelism  such  as 
subroutine  calls. 

However,  this  subject  remained  untouched  because  of  the  complexity  of  the  analysis  process  for 

the  parallelism  detection.  ,  . 

When  affirming  this  we  have  in  our  mind  the  case  of  multiple  levels  of  subroutine  calls  which  is 
obvious  in  any  reasonable  and  well  structured  FORTRAN  program.  As  an  enforcement  of  the  last 
statement  we  mention  the  Cray-1  FORTRAN  compiler  which  stops  the  vectorization  when  a 
subroutine  call  is  encountered  [  1  ] . 

In  order  to  achieve  this  fine  analysis  the  compiler  or  other  software  that  can  do  this,  has  to  be 
provided  with  reasoning  capabilities  [1].  This  means  unification,  reasoning  mechanism,  forward 
chaining,  backtracking  a.s.o. 

The  development  of  logic  programming  techniques  provides  this  environment  which  allows  the 
computer  to  deal  with  problems  requiring  intelligence.  A  practical  implementation  of  this  piece  of 
software  will  be  finally  in  the  form  of  an  expert  system. 

Expert  system  shells  that  can  interface  external  libraries  in  Fortran  are  excellent  environments 
that  provide  a  lot  of  facilities  to  accomplish  the  task  of  parallelizing  sequential  FORTRAN  code. 


The  blackboard  of  an  expert  system  shell  provides  the  storage  elements  which  help  to  solve  this 
problem  dynamically.  On  the  other  hand,  the  powerful  reasoning  capabilities  of  the  expert  system 
provide  other  necessary  complex  mechanisms  for  obtaining  the  subroutine  dependences. 

An  example  a  Fortran  program  containing  an  arbitrary  number  of  subroutines  is  processed  by 

the  expert  system. 

2.  PRELIMINARIES 

In  order  to  provide  a  mathematical  approach  to  the  detection  of  subroutine  dependences  the 
following  notations  will  be  introduced: 

-  the  set  of  input  variables:  U  ={  L/k  |  tVk  real  and  integer  variables, strings,  arrays, etc.,  k 

N}  .  .  .  , 

-  the  set  of  output  variables:  Y—  { yk  I  yk  real  and  integer  variables, strings,  arrays, etc.,  k 

N} 

-  the  set  of  commands:  C-  {  c  k  I  U:  tf  e  go  to  12  else  go  to  I3,  fi 

V li:  (x  2, .... rn):=(U.f  2 . *  n  ),go  to  12  (n^l)} 

where  li  are  labels  ll=  end,  l2=l3,e  a  quantifier  free  formula,  and  fi  is  the  finish  if 

-  the  set  of  elementary  "  subprograms"  S  o  ={sk>sk  elementary  functions  or 
subroutines), where  an  elementary  function  or  subroutine  is  considered  that  function  or  subroutine 
which  does  not  call  any  subprogram. 

-  the  set  of  all  functions  or  subroutines  5  So 

Under  this  consideration  a  subroutine  is  defined  as  follows: 

s  :  U  xC  xP — >Y 

The  dependence  relations  are  introduced  as  follows: 

Definition  1:  Consider  i<j  in  a  lexicographical  order;  the  subroutine  sj(ui,...,unj,yi,—,ymj)  is 
said  to  be  dependent  on  subroutine  si(  ui,...,uni»yi»—»ymj)  rf  one  of  the  following  conditions 
hold: 

i)  U  i  n  U  j  =  0 
n)U  j  n  Y{  =  0 

iii)  y  i  n  Y  j=  0  i,j  e  {  l,...p)  where  p  is  the  total  number  of  subroutines,  ni, 
nj,  mi,  mj  6  N  and  U  i,  Y  i,  U  j,  Tj  are  the  sets  of  input  and  output  variables  of  subroutines  i  and  j 
respectively. 

3.  A  MATHEMATICAL  MODEL  OF  SUBROUTINE  DEPENDENCES 

As  defined  before  a  subroutine  can  be  viewed  as  a  set  of  tasks  which  receives  input  variables 
and  under  some  commands  transforms  these  variables  into  output  variables.  This  mapping  can 
further  be  written  as  an  explicit  relation  if  an  event-graph  is  used  to  describe  the  sequence  of 
transformations  which  occur  during  the  subroutine  execution.  These  transformations  will  be  called 
activities  and  their  set  will  be  denoted  by  A..  It  has  to  be  noted  that  a  subroutine  can  also  be  viewed 
as  an  activity.  The  input  and  output  variables  are  viewed  as  resources  ( R  the  set  of  all  resources 
used  in  the  program)  for  the  subroutine  execution.  A  program  is  then  an  acyclic  oriented  graph  . 
which  is  assumed  to  be  connected.  The  set  of  the  arcs  of  the  graph  G  is  denoted  by  T.  There  is 
always  a  starting  activity  (node)  as  (r)  and  a  final  one  af  (r). 

Each  arc  (i,j)  6  T  of  the  graph  G  is  weighted  by  an  integer  tij  >  1  called  the  displacement. 
Each  activity  a{  will  be  executed  following  a  certain  path  in  the  graph  and  consequently  in  an  order 


given  by  the  precedence  number  xi.  If  (j,i)  G  then  xi=xj+  tij.  A  resource  precedence  number  ur  will 
denote  the  moment  the  resource  is  used  for  the  first  time  in  the  program.  If  i  is  the  first  activity  for 
resource  r,  then  xi>  Uf. 

Consider  now  P '  (i)the  set  of  predecessors  of  activity  i  and  R  °  (i)  be  the  set  of  resources  such 
that  as(r)  =  i ;  then 

aie  A  xi=  max  ( max  (xj  +  tij),  max  ur)  (1) 

je  P-(i)  r €  R°(i) 

Let  A  be  the  nxn  weighted  incidence  matrix  of  ( A ,  T  )  defined  by:  A  ij  =  tij  if  (i,j)  T  and 
Aij=-oo  otherwise,  where  n=  Card(  A  ).  Similarly,  let  B  be  an  rxn  matrix,  where  r=Card  (R) 
denned  by  brf=  0  if  as  (r)  =i  and  bn=  otherwise. 

Using  the  above  introduced  matrices  and  the  minmax  algebra  the  following  results  can  be 
obtained: 

•  The  equation  (1)  can  be  written  as 

X  =  X  A  <S>  UB  (2) 

where  X  =  (xi,x2, ... ,  xn),  U=  (ui,u2, ... ,  un  ) 

Letting  yr  denoting  the  precedence  number  of  the  activity  where  the  resource  is  used  for  the 
last  time,  and  cir=  ti  if  af(r)=i  for  some  r  and  cir  =-«»  otherwise,  a  second  relation  is  obtained: 

Y=  X  C  (3) 

♦  Theorem  1  :  For  a  riven  U  the  equation  X  =  XA  ®  UB  has  a  unique  solution  :  X=  UBA* 
where  A*=  ( E  ®  A  ®  A^  ®  A  n_1 ) ,  E  is  the  identity  matrix  defined  as  e^=0  and  eij=  for  i=j, 
and  An=An'i. 

•  Theorem  2:A*  contains  as  entries  the  maximal  weights  of  paths  between  two  nodes  and 
provides  in  this  way  the  precedence  numbers  reflecting  the  activity  dependences. 

•  Theorem  3  :If  the  critical  graph  of  A*  has  only  one  path  then  there  is  a  total  dependence 
among  the  activities  ( subroutines)  and  their  execution  can  only  be  sequential. 

•  Theorem  4  :  if  the  critical  graph  of  A*  has  K  connected  components,  then  there  are  K 
subroutines  which  can  be  executed  in  parallel. 

•  The  previous  results  can  be  extended  to  the  DO  loop  case.  A  DO  loop  can  be  seen  as  a 
part  of  a  program  which  repeatedly  performs  the  same  activities  over  the  same  set  of  input  and 
output  variables.  Using  the  index  variable  n  X(n)  will  be  the  vector  of  the  activities  in  the  n-th  run 
of  the  loop,  and  correspondingly  U(n)  will  be  the  resource  vector  in  the  same  run.This  leads  to  the 
following  model :  U(n)=Y(n-l)K  where  K  is  an  rxr  matrix  such  that  Krs  =0  for  r=s  and  Krr=  the 
displacement  between  af(r)  and  ai(r).  Using  these  observations  and  the  previous  results  one  can  write 

Y(n)=Y(n-l)  KBA*C  (4) 

which  is  a  forward  dynamic  programming  equation. 


4.  A  LOGIC  PROGRAMMING  IMPLEMENTATION 

The  recurrence  of  the  previous  model  suggests  a  logic  programming  implementation. 

Using  the  model  given  by  (1)  &  (3)  ,  the  results  of  theorem  1-  4  ,  and  introducing  the 
following  recursive  functions: 

•  find_calls(  x„first  (1))=  find_calls(x„findjnner_sub(  x,  find_calls(x,first(new_l)))) 

•  find_inner_sub(x,l)=  find_inner_sub(  x,  find_calls(  x,rest  (1)) 


where  first  (1)  and  rest  (1)  are  the  head  and  the  tail  of  the  list  1,  and  new  J  is  a  working  list 
containing  at  a  certain  moment  the  names  of  subroutines  under  processing 

•  norelationO:  list(  ai(  xi,ui),  ai(yi))  list(si) 

♦  indxi  ( u  ai,  callki )  li,  where  li  is  a  string  of  procedure  names  stored  as  a  list 

xi  being  defined  by  indxiO={  Hi,  li2  }  and  lil  being  the  list  of  dependent  subroudnes,and 
li2  being  the  list  of  independent  ones. 

With  the  above  introduced  recursive  functions  the  main  result  can  be  stated  as  follows: 

Proposition:  For  every  list  1  of  activities  ai  i  6  N ,  if  the  activities  ai  are  subroutines  and  if  1  is 
a  nonempty  list,  the  following  recursive  function 

indxi  (x  ,  first(l))=  xi  (x,  rest(xi  ( norelation  (yi,ly),first(rest(l)))))) 

will  build  the  list  of  all  independent  subroutines  of  the  analyzed  Fortran  program. 

An  expert  system  shell  has  been  used  for  the  implementation  of  the  above  abstract  mechanism  for 
the  detection  of  the  subroutine  dependences.  An  expert  system  has  been  obtained.  The  tasks 
accomplished  by  the  expert  system  are  :  1)  the  generation  of  an  abstract  Fortran  file 
the  generation  of  input  /  output  variable, and  command  lists,  3)  the  generation  of  all  Fortran 

statements  (ai) ,  4)  The  generation  of  the  corresponding  xi,ui,yi,lists,  5)  the  dependency  check  6)  the 
generation  of  the  lists  of  dependent  and  independent  subroutines  ,  7)  recursively  repeats  (6),  8)  the 

displaying  of  the  final  lists.  ,  .  ,  T 

The  above  implementation  has  been  checked  an  examples  of  various  degrees  of  difficulty.  In  a 
demonstration  package  a  Fortran  program  with  three  levels  of  calls  is  considered  for  a  dependency 
check.  The  expert  system  was  implemented  on  a  Vax  and  Compaq  386  environment. 

5.  CONCLUSIONS 

The  approach  developed  in  this  paper  for  detecting  the  subroutine  dependences  is  based  on  a 
discrete  event  system  model.  The  implementation  has  been  accomplished  by  using  a  logic 
programming  technique.  To  facilitate  the  implementation  an  expert  system  shell  has  been  used.  It 
provided  the  appropriate  mechanism  for  reasoning,  recreation,  communication,  and  dynamic  tracking 
of  activities.  It  is  a  powerful  and  productive  tool  for  developing  software  tasks  previously 
implemented  in  compilers. 
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Abstract 

The  use  of  algebraic  techniques  in  the  development  of  software  enables  systems  to  be  built  which  have 
a  precise  formal  foundation.  Such  formal  methods[l]  can  help  considerably  in  reducing  the  susceptibility 
to  errors  of  interpretation  and  consistency  of  many  of  the  current  ad  hoe  procedures  used  in  system 
design.  This  is  of  particular  importance  for  building  large  and  reliable  systems.  Furthermore,  the  use 
of  formal  techniques  enables  rigorous  calculations  of  various  properties  to  be  made  on  a  system  like,  for 
example,  absence  of  deadlock. 

Tn  thi«  paper  we  are  concerned  with  how  systems  expressed  in  such  a  manner  can  be  used  to  system¬ 
atically  generate  specifications  which  may,  in  principle,  be  performed  without  any  human  intervention^]. 

In  particular,  we  deal  with  the  type  of  situation  where  the  specification  of  an  unknown  system  component 
is  derived  from  two  given  specifications.  The  pre-requisites  for  solution  to  the  problem  we  consider  are 
that  the  known  specifications  are  formally  expressed  in  terms  of  states  and  that  the  component  to  be 
synthesised  interacts  with  them  in  some  predefined  way. 

1  Notation 

We  are  dealing  with  finite  communicating  transition  systems  as  described  in  [3,4]  in  which  a,  /?,  7,  /i . . .  a, 
/?,  7  p . . .  denote  actions ,  r  is  a  special  action  called  the  invisible  action  and  Pit  pj»  q%  r  . . .  are  states,  c 
denotes  an  empty  sequence  of  actions.  A  direct  p  derivation  between  states  is  a  relation  between  two  states 
and  and  an  action,  written  pi  — pj,  in  which  pi  is  the  source  and  p*  the  destination.  2fc(p)  is  the  set  of 
all  states  reachable  from  p;  A(p)  (called  the  alphabet  of  p)  is  the  set  of  all  actions  which  are  possible  for  all 
pf  e  J2(p).  Mp  is  a  machine  which  can  exist  in  state  p.  For  conciseness  we  write  pi  pa — Pz  to  mean 
(pi  — pa)  A  (pa  — ps).  A  set  of  relations  sharing  the  same  source  is  written  as  a  behaviour  equation: 
Pi  ■$=  <xpa+/3ps  means  that  (pi  — ►*  pa)A(pi  p$)  and  that  there  are  no  other  relations  having  pi  as  a  source. 
We  express  the  ability  of  two  transition  systems  to  communicate  by  use  of  complementary  actions  such  as  p 
and  p  and  the  parallel  composition  operator:  |.  Ifp  =  ppf  and  r  ss  pr1  then  (p|r)  =  p{pf\r)^p(p\rl)^r(pf\rf) 
([3,  Expansion  Theorem]).  That  is,  if  p  can  do  an  action  and  r  can  do  the  complementary  action,  then  the 
composition  of  the  two  can  do  either  of  these  (in  which  case  only  one  of  the  machines  changes  state)  or  it  can 
perform  the  invisible  r  action  (in  which  case  both  machines  change  state).  Given  one  machine  we  can  derive 
another  by  *  hiding’:  that  is,  removing  all  transitions  in  which  the  action  belongs  to  a  set  A;  the  r  action 
may  not  appear  in  such  a  set.  In  the  previous  example  if  we  define  a  set  A  =  {p}  then  (p|r)\A  =  r(pf|r/). 
By  convention  hiding  an  action  implies  hiding  its  complementary  action.  We  define  p  pf  to  be  a  relation 
between  two  states  p  and  pf  and  action  p  (^  r)  if  and  only  if 

Pr+rPi-+rP3-“+r  r+r*s'...^y 

0  or  more  rs  exactly  one  p  0  or  more  rs 

Replacing  p  by  r  in  the  above  figure  gives  a  representation  of  the  definition  of  the  relation  p  =>*  pf  (where  e 
is  the  null  string),  which  indicates  that  two  states  are  connected  by  a  sequence  of  zero  or  more  r  actions.  For 
conciseness  we  use  p  — (read  as  ‘p  can  do  a  p *)  to  mean  3pf  such  that  p  — pf  (but  we  are  not  interested 
in  what  pf  is).  Observational  equivalence  is  defined  in  such  a  way  that  two  states  p  and  q  are  observationally 
equivalent,  written  p  «  g,  if  and  only  if  for  every  i)  p  if  p  =>**  pf  then  there  exists  a  <f  such  that  q  q*  and 
pf  «  q[  and  ii)  if  q  q*  then  there  exists  a  pf  such  that  p  pf  and  p'  «  <(.  Weak  determinacy  is  defined 
in  such  a  way  that  if  p  =>M  p'  and  p  pf 9  then  p'  «  p". 


2  Interface  Equation  _  _ 

An  interface  equation!*  an  expression  of  the  farm  (p|X)\A  «  q  where  A(p)  n  A(g)  C  {r},  A(p)  n  A  =  0  and 
A(o)  n(AuI)  =  4.  (0  denotes  the  empty  set.)  We  say  that  r  is  a  solution  to  the  equation  (p|A)\A  «  q  in 
r  satisfies  (p|r)\A  *  q  and  A(r)  O  A (p)  C  {r>.  In  this  paper  we  further  assume  that  no  pair  of  states  q>  and 
a"  £  R(q)  are  observutionally  equivalent.  This  slightly  simplifies  the  exposition  and  significantly  reduces 
problems  in  implementing  the  algorithm.  Since  it  is  straightforward  to  compute  from  a  machine  Ilf  not 
having  this  property  a  new  machine  M'  which  has  this  property,  the  assumption  does  not  impose  significant 
constraints  on  tlie  applicability  of  the  theory  which  we  develop. 

The  interface  equation  may  be  thought  of  as  being  approximately  the  reverse  of  the  expansion  theorem, 
whereas  the  expansion  theorem  composes  two  given  machines  to  produce  an  unknown  third  we  are  attempting 
to  compute  the  unknown  machine  which,  when  composed  with  a  second,  is  observationally  equivalent  to  a 

given  third. 


3  Methods  of  Solution 

A  basic  procedure  for  solving  the  interface  equation  is  a  discarding  algorithm  very  similar  xo  that  described 
in  [51.  In  this  procedure  we  construct  a  set  j,  each  component  K  of  which  is  an  I-complete  (defined  later) 
set  of  tuples  of  the  form  (*/,  o'),  where  j/  and  qf  are  states  of  the  machines  Mr  and  M v  We  then  compute, 
for  every  pair  (K,K>)  the  relations  (defined  later)  K  K',  K  K>  and  K  K'.  We  then  scan 
through  the  e  xponents  of  r/>  and  discard  any  component  K  that  is  not  O-complete  (defined  later)  with 
respect  to  i>.  We  iterate  this  scan  until  either  no  set  remains  that  fails  the  O-completeness  check  (in  which 
case  we  have  found  a  solution)  or  none  of  the  sets  of  contains  the  tuple  (p,  q)  (in  which  case  no  solution 
exists).  The  solution  is  expressed  by  creating  one  state  of  the  solution  for  each  K  in  V-  Derivations 
between  r-states  are  readily  associated  with  derivations  between  K-sets  thus;  if  there  is  a  — between  two 
K  sets  there  is  a  — »r  between  the  corresponding  r  states;  if  there  is  a  — ►M,°  or  — between  two  K  sets 
there  is  a  -*•*  between  the  corresponding  r  states.  The  procedure  of  forming  I-complete  sets  entails  (in  the 
most  basic  form  of  the  algorithm)  the  formation  of  all  possible  valid  unions  of  basic  sets  of  tuples  called  Bjt 
sets.  Bach  of  these  Btr  sets  is  I-complete,  and  the  formation  of  valid  unions  consists  of  forming  only  those 
unions  which  retain  this  /-completeness  condition. 


4  Key  steps  in  the  theory 

between  tuples!  Let  us  first  introduce  relations  -*thI  and  -*T,P  between  tuples,  where 
p  €  A(p)  U  A(S)  -  {t}:  define  <f)  -+*1  (p",  4")  iff  jt  p"  and  j  =►"  4"  and  define (j/,  4*)  -f'  ) 

yf  W  _+r  t/7  and  <i  =>*  q".  We  then  introduce  sets  of  tuples  I^x  and  define  I^iyp  >  <1  %p  )  — 

{(P".4")I(P'.9')  (P".9")}  “d  ^(P',4,,P")  =  {(P".4")I(P'.<)  -T’*  We  ntao  need  two 

further  relations  between  tuples  —*lh0  and  — define  (p*,  4 ')  -*lh  (/1 4")  iff  y  —  P*  and  4'  and 

ix  6  A(4)  -  A(p)  and  p  #  r;  define  (j/,  <f)  -*»°  (p",  4")  iff  jf  p"  and  qf  =>«  4"  (where  «  is  the  null  string) 

and  p  €  A  and  p  r.  . 


Bit  sets:  A  key  step  in  developing  efficient  algorithms  is  the  introduction  of  fljT  sets,  which  are  defined  in 
terms  of  the  preceding  sets,  as  follows.  Define  S^)(p',  4*)  (*  €  {1,2 . . .})  by  the  following:  (p',  q')  €  £/r(p'>  4*); 
if(p",4")  €  B^)(p',4')  and  (I*/(p",4",P"')  *  0)  or  (!.,,»(?",  4",  ?"')  #  «)  then  (p",4")  is  any  one  of  the 
tuples  in  I^i  n  Ir,j>  (if  both  are  non-empty)  or  any  tuple  in  the  non-empty  set  if  only  one  of  them  is  empty. 
If  4  is  not  weakly  determinate  then  for  a  given  (pf,tf)  there  may  be  several  Bir  sets  depending  on  which  of 
the  tuples  is  selected;  the  superscript  (*)  is  used  to  distinguish  between  these  sets. 


I-completenessi  I-completeness  is  a  property  of  a  set  If  of  tuples,  K  being  a  union  of  sets.  Such  a 
set  is  I-complete  iff  V(p',4/)  €  If ,  if  p'  — *  (p  £  A  and  p  r)  then  q>  =>M- 


5  Relations  between  sets 

We  define  five  relations  between  sets:  -»r,  =>^°  and  =>M’C.  Define  If  — K"  iffV(p',4/)  € 

If 3(p",  4")  6  K'  s.t.  (p',4')  — (p",  q").  Define  K  -*^c  K'  iff  ((3(p',4')  €  If)  and  (3(p",4")  €  If  J 
s.t.  (p'.q')  (p",q"))  and  (V(p\ 4')  6  If  if  p>  ->*  f  with  JI  €  A  then  3(p",4")  6  K'  s.t.  (p',4') 

(p">  4"))-  Define  K  K"  iff  there  exists  a  sequence  of  K  such  that 


If-rIfi  -T  Ifj- 


*rK* 


K4  -+TKf- 


K' 


zero  or  more  rs 


exactly  one  /i,  O  zero  or  more  ts 


Similar  definitions  are  made  for  /*,  C  and  r  derivations. 


0-completeness  A  set  if  is  said  to  be  0-complete  with  respect  to  a  set  S  if  for  all  (j/,  q*)  €  K  if  /i  €  A(g) 
and  g7  — g//  then  there  exists  a  sequence  of  sets  JT<  and  tuples  (pi,  ft)  (where  each  (p»,  ft)  €  K%)  such  that 

j/  =>Ml  Pi  Pa  •••P4^‘XP5 

•  -if4=>r  •  •=>**' 

and  (j/,  g")  €  if'  where,  if  /i  =  r  then  X  =  €  and  V  =  e,  otherwise  either  X  =  m  and  y  =  *  or  X  =  e  and 
y  =  /i,  O  Notice  that  /-completeness  of  a  set  is  not  influenced  by  other  sets;  in  contrast,  0-completeness, 
while  still  being  a  property  of  a  set,  is  influenced  by  that  set’s  relations  with  other  sets. 

6  Key  steps  in  algorithm  development 

The  practical  problem  of  this  basic  approach  its  combinatorial  complexity,  which  causes  the  number  of  sets 
in  to  be  very  large.  This  complexity  arises  (i)  the  formation  of  all  possible  valid  unions  of  Bjr  sets,  and 
(u)  the  relaxation  of  weak  determinacy,  which  considerably  increases  the  number  of  Bpr  sets[6]. 

We  have  attempted  to  reduce  the  computational  requirements  in  two  ways.  First  we  have  refined  the 
basic  procedure  described  above  by  introducing  the  concept  of  minimal  unions  [7].  This  concept  considerably 
reduces  the  number  of  sets  that  we  have  to  deal  with  in  performing  the  0-completeness  tests.  Secondly,  we 
have  attempted  a  constructive  approach[8]  instead  of  a  discarding  approach. 

The  minimal-union  approach  to  improving  the  basic  discarding  algorithm  is  to  try  to  avoid  forming  unions 
which  are  not  essential  to  a  solution.  We  can  do  this  by  first  considering  images  of  derivations  between  sets. 
For  example,  the  image  of  a  t  derivation  from  K  to  K*  is  the  set  V  C  if'  given  by  {(pw»gw) € 
K*  A  (3(p",  g7)  €  if  e.t.  <t  where  e  is  the  null  string)}.  Similar  definitions  are  made  for  /*,  X  and  /*,  0 
derivations.  A  minimal  union  from  K  containing  if 9  is  defined  to  be  the  union  of  only  those  Bjr(p/,  g/)  sets 
with  (p'.g')  e  K'  such  that  g')  C  if.  We  have  found  that  it  is  sufficient  to  consider  only  minimal 

unions  of  images  of  ji,C,  /*,  0  and  r  derivations  in  computing  solutions,  allowing  a  considerable  reduction 
in  computing  requirements  in  some  examples. 

In  the  constructive  approach  we  delay  the  steps  which  generate  the  large  number  of  sets  as  long  as 
possible.  Instead  of  performing  the  single  linear  sequence  of  forming  Bjr  sets,  /  complete  sets,  unions, 
and  then  carrying  out  the  0-completeness  tests,  we  carry  out  an  iterative  procedure.  In  this  iterative 
procedure  we  do  not  immediately  set  up  /-complete  sets  but  set  up  what  we  call  /-complete  sets  (which  at 
any  stage  we  can  expand  to  produce  /-complete  sets).  We  then  test  these  sets  for  a  more  complicated  for 
of  0-completeness  which  we  term  0-completeness.  If  this  test  fails  on  some  set  If,  we  then  derive  from  the 
offending  set  more  /-complete  sets  by  a  heuristic  process  outlined  in  the  next  section.  In  this  way  we  hope 
to  avoid  the  exponential  explosion  of  states  when  attempting  to  solve  real  problems. 

7  Constructive  algorithm  concepts 

In  the  constructive  algorithm  as  well  as  eliminating  unnecessary  generation  of  Bir  sets,  or  at  least  postponing 
*uch  generation  to  a  late  stage,  we  pre-process  the  g  machine  into  a  minimum  action  representation.  This 
produces  a  new  machine  observationally  equivalent  to  the  original  g  but  with  new  and  useful  properties. 
The  minimum  action  representation  of  a  machine  M  is  derived  from  the  original  machine  by  removing  all 
derivations  q  — g/  which  are  not  observationally  essential.  A  derivation  of  the  form  g  — g f  (where 
/i  €  A(g)  —  {r})is  observationally  essential  iff  Vg"  s.t.  g"  $6  g  then  g  g"  g'  is  false  and  Vg"  s.t. 
g/  96  g"  then  g  g "  =»*  is  fhlse.  A  similar  definition  is  made  for  derivations  of  the  form  g  — >r  q* . 

Analagous  definitions  about  the  minimum  paths  between  tuples  can  be  made.  By  analysing  the  reachability 
of  the  p  machine  by  actions  not  in  A  and  by  comparing  minimum  paths  of  the  p  machine  with  minimum 
paths  between  (p,g)  tuples,  we  compute  a  relation  Us  between  tuples.  (The  lengthy  definitions  of  fts, 
/-completeness  and  0-completeness  have  been  omitted  here.)  We  then  construct  the  transitive  closure  of 
7 Zs  and  examine  the  set  of  equivalence  classes  given  by  this  relation.  By  construction  each  of  these  sets 
satisfies  our  definition  of  /-completeness.  We  then  check  each  of  these  sets  for  0-completeness.  In  contrast 
to  the  discarding  algorithm,  we  do  not  discard  a  set  which  fails.  Instead,  we  replace  the  offending  set  K  by 
two  sets,  one  derived  from  K  by  deletion  of  some  tuple  (j/,  g/)  and  the  other  derived  from  K  by  retention 
of  (j/,  qf)  and  deletion  of  all  other  tuples  beginning  with  pf.  This  process  is  known  as  tuple  extraction.  In 
general  the  resulting  sets  are  not  /-complete,  and  so  we  have  to  refine  the  sets  (by  tuple  deletion)  until 
they  are  /-complete.  Deletion  of  tuples  also  implies  that  the  Us  relations  have  to  be  recomputed.  We 


iterate  round  the  cycle  of  J-completuess  checking,  O-completeness  checking  and  tuple  extraction,  until  the 
O-completeness  condition  is  satisfied.  . 

The  process  of  tuple  extraction  is  a  heuristic  one.  That  is,  we  have  worked  out  rules  for  guessing  which 
choice  of  tuple  is  most  likely  to  lead  quickly  to  a  solution.  The  algorithm  we  use  would  eventually  search 
through  all  tuples,  though  this  would  take  far  too  long  in  general.  Consequently  appropriate  selection  of 
tuples  is  of  crucial  importance  in  this  step. 

8  Computation  times 

Using  a  discarding  algorithm,  an  M,  with  two  states  and  a  Af,  with  three  states  can  be  solved  in  a  few 
seconds  on  a  VAX785.  An  example  M,  with  5  states  and  an  M,  with  20  states  but  requiring  no  unions  was 
on  the  limits  of  solubility  (1  CPU-day).  We  have  not  yet  explored  the  computation  time  of  the  constructive 
algorithm,  but  we  expect  the  5/20  example  to  be  soluble  in  a  few  minutes  of  CPU  time. 

9  Conclusions  and  current  work 

We  have  produced  algorithms  which  solve  the  interface  equation  for  q  machines  which  are  not  weakly 
determinate.  Basic  versions  of  these  algorithms  require  impracticably  large  computation  time  for  machines 
with  more  than  a  very  small  number  of  states.  More  advanced  versions  are  under  development  which  are 
more  likely  to  produce  solutions  in  a  reasonable  amount  of  time.  Current  work  involves  the  optimisation  of 
the  heuristics  f/t  tuple  selection  in  the  constructive  algorithm. 
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Two  simple  but  important  algorithms  used  to  support  automated  reasoning  are  tautology 
checking  and  matching.  Given  two  terms  matching  produces  a  substitution,  if  one  exists, 
that  maps  the  first  term  to  the  second.  In  this  lecture  these  two  algorithms  are  used  to 
illustrate  the  approach  to  automating  reasoning  suggested  in  the  title.  Both  algorithms 
can  be  derived  and  verified  in  the  Nuprl  proof  development  system  following  exactly  the 
informal  presentation  we  use  here. 

These  examples  serve  to  introduce  a  particular  automated  reasoning  system,  Nuprl, 
as  well  as  the  idea  of  deriving  programs  from  constructive  proofs.  The  treatment  of  the 
examples  also  suggests  how  these  systems  can  be  soundly  extended  by  the  addition  of 
constructive  metatheorems  about  themselves  to  their  libraries  of  results. 


Pairings  on  Lambda  Algebras 

W.  S.  Hatcher,  Universite  Laval,  Canada  and 
Marcel  Tonga,  Universite  d'yaounde,  Cameroun 

This  paper  continues  the  authors'  universal  algebraic  approach  to 
the  study  of  the  X-calculus  begun  in  [Hatcher  &  Tonga  1985]  and 
further  developed  in  [Hatcher  &  Scott,  1986]  and  [Tonga  1987].  The 
basic  insight  underlying  this  approach  is  that  the  traditional  X-calculus 
is  algebraically  defective  because  it  uses  only  one-half  of  the  natural 

isomorphism  ABxC  s  (ac)  ,  namely  the  right-hand  side.  The  principal 
means  of  removing  this  defect  is  by  an  appropriate  theory  of  pairings 
on  so-called  X-algebras. 

Let  A  -  (A,1  )  be  a  groupoid  (  '  is  a  binary  operation,  called 
anniication.  on  the  non-empty  set  A).  We  assume  |A|  >  1  throughout.  A 
is  a  x-system  if  it  supports  a  syntactically  appropriate  X-operator 
satisfying  the  conversion  identities  (Xxt)'x  ■  t,  where  t  is  any  A-taan. 
i.e.,  a  term  of  the  first-order  diagram  language  L(A)  of  groupoids  over 
A  (thus  an  element  of  the  underlying  set  WA(X)  of  the  absolutely  free 
(word-)  algebra  w  of  groupoids  with  distinguished  constants  A  and 
variables  X)  and  ■  is  the  minimal  congruence  relation  on  WA(X), 
obtained  by  taking  all  possible  evaluations  of  X  in  A).  Thus,  a  X-system 
A  has  constants  K,  S  e  A  such  that  K'a’b  -  a  and  S'a'b'c  »  (a'c)l(b,c) 
hold,  where  a,  b,  and  c  are  any  elements  of  A  (parenthesis-free 
iterations  of  application  are  associated  to  the  left).  A  X-system 
satisfying  all  universal  A-X-identities  (see  [Hatcher  &  Scott  1986])  is  a 
x-algebra.  and  a  Xn-alqebra  if  it  satisfies  the  further  identity  (rtf: 
Xx(t'x)  a  t,  where  t  is  any  A-term. 

A  pairing  is  defined  on  a  nonempty  set  A  whenever  A  supports  a 
binary  coupling  operation  [a,b]  and  unary  projection  operations  p(x)  and 
q(x)  satisfying  the  identities  p([a,b])  =  a  and  q([a,b])  =  b.  If  the  set  A  is 
the  support  of  a  X-system  A,  then  a  pairing  with  binary  coupling  [a.b] 


is  defined  on  A  precisely  when  there  exist  nullary  operations  ,u1  and  it2 
on  A  satisfying  the  identities  TT^'[a1(a2]  =  a^:  given  ,it1  and  ir2,  p(x)  *  tt1x 

and  q(x)  »  ir2'x,  while,  conversely,  u1  -  Xxp(x)  and  u2  =  Xxq(x)  when  p(x) 
and  q(x)  are  given. 

A  pairing  is  usually  defined  on  X-systems  by:  [a,b]x  ■  Xx(x'a'b);  tt1 
=  Xx(x'K);  tt2x  -  XxCx'K'fS'K'K))  (see  e.g.  [Barendregt  1984]).  However,  this 
pairing  has  undesirable  special  properties.  For  example,  it  satisfies  the 

condition  of  suriectivitu.  [TT1x,a,TT2x,a]x  -  a,  only  when  |A|  =  1  (see 
[Tonga  1987,  p.  18]).  We  call  this  pairing  canonical  to  distinguish  it 

from  others. 

This  difficulty  concerning  the  canonical  pairing  Is  overcome  by 
extending  the  language  L(A)  of  groupoids  to  a  language  L^A)  that 
Includes  new  constants  it,,  and  tt2  and  a  second  binary  operation  [-,  »]. 
The  structure  A  =  (A,  \  [-.  «],  irv  n2)  is  a  couplafl  QLSmsM  when  it 
satisfies  the  Identities  ir1,[a,b]  *  a  and  TT2'[a,b]  =  b  for  all  a,  b  €  A.  A 
coupled  groupoid  is  a  X-ir-sustem  If  it  supports  a  syntactically 
appropriate  X-operator  satisfying  conversion  identities  for  all  terms  t 
of  L^CA).  We  have: 

Theorem  1.  A  coupled  groupoid  A  is  a  X-u-system  if  and  only  if  A 
has  constants  S,  K.  and  W  satisfying  the  Identities  K'a'b  -  a;  S'a'b’c  = 
(a*c)'(b'c);  W’a'b’c  -  [a'c,  b’c],  where  a,  b.  and  c  are  any  elements  of  A.  ■ 

This  combinatory  form  of  X-TT-systems  is  very  helpful  in  studying 
the  relationship  between  various  pairings  defined  on  them.  Indeed,  we 
can  use  the  X-operator  in  a  X-n-system  to  define  pairings  other  than 
the  one  given  by  the  primitive  coupling  operation  [-,  0  and  the  primitive 
constants  ti1  and  tt2.  An  important  and  useful  example  is  the  following: 

A  X-TT-system  satisfying  all  universal  A-X-ir-identities  (see  [Tonga 
1987,  p.  23])  is  a  x-n-algebra.  and  a  X-ir-algebra  satisfying  the  identity 
(n)  is  a  x-n-u-alqebra.  Let  A  be  a  X-n-TT-algebra.  Then,  (a,b)  = 
Xx[a’x,b’x],  p(x)  =  Xy(iT1'(x,y)),  and  q(x)  =  Xyfir^x'y))  define  a  pairing  on 
A,  called  a  function  pairing.  It  is  a  pairing  frequently  used  when 
dealing  with  the  “monoid  form"  of  a  X-Ti-u-system,  in  which  the 
X-operator  is  used  to  define  the  following  further  operations.  (1) 
Composition:  a«b  =  Xx(a,(b*x)).  (2)  Identity:  I  *  Xx(x).  (3)  Exponentiation 


/  7-(t> 


(Currying  up):  g*  -  Xx(Xy(g’[x,y])).  (4)  Extraction  (Currying  down):  fg  = 
Xx(g,(ir1,x),(TT2,x)).  (5)  Evaluation:  s  =  fl.  If  the  original  pairing  is  the 
canonical  one,  then  the  derived  function  pairing  is  called  standard-  The 
standard  function  pairing  can  be  given  an  intrinsic  definition  in  terms 
of  the  monoid  structure  of  the  system  (see  [Tonga  1987,  p.  60]). 

Suppose,  now,  that  we  are  given  a  monoid  (M,  <»,  I)  enriched  with  a 
further  binary  operation  <-,  •>,  a  unary  operation  *,  and  nullary 
operations  ttv  it2,  and  s.  Then  tt  *  (M,  °,  I,  ■>,  ,  *,  ttvtt2,  s)  is  a  weak 
c-monoid  if  these  data  satisfy  the  following  identities:  irio<a1,  a2>  »  at; 

(a,  b)°c  »  (a«»c,  b°c);  s®(a*oTTr  it2)  »  a®(ir.,,  it2);  a*®b  «  (a®(b®ir1,  tt2))*. 

Theorem  2.  Any  weak  C-monoid  is,  under  the  appropriate  definitions, 
a  X-u-algebra.  Conversely,  any  X-n-iT-algebra  is,  under  the  definitions 
given  above,  a  weak  C-monoid.  ■ 

Only  the  (=>)  half  of  Theorem  2  is  really  new  (although  the 

converse  was  in  fact  established  only  for  the  standard  pairing,  see 

[Adachi  19833  and  [Koymans  1984]).  The  proof  uses  a  variant,  due  to 
Tonga,  of  the  discriminant  of  [Hatcher  &  Scott  1986]. 

A  weak  C-monoid  n  is  a  X-monoid  if  the  identity  s  *  e®<ir1f  it2) 

holds  in  n  ,  an  ^-monoid  if  the  identity  e*  -  I  holds,  and  a  surjective 

monoid  if  <irr  u2>  -  I.  Finally,  a  surjective  n-monoid  is  a  C-monoid- 

Theorem  3.  Any  X-n-monoid  is  a  X-n-u-algebra  and,  conversely,  any 
X-n-ir-algebra  is  a  X-Ti-monoid.  ■ 

This  result  is  contained  in  [Tonga  1987].  It  strictly  generalizes  the 
main  result  of  [Hatcher  &  Scott  1986],  employing  similar  techniques 
and  using  the  result  of  Theorem  2  above  as  a  lemma. 

In  fact,  Theorem  3  is  a  (particularly  useful)  special  case  of  the 
following  theorem: 

Theorem  4.  There  is  an  equivalence  of  categories  between  the 
category  of  all  X-Tr-algebras  and  the  category  of  all  X-monoids.  ■ 

The  special  case  of  Theorem  4  obtained  by  taking  only  the 
canonical  pairing  for  the  X-algebras  and  the  standard  pairing  for 
X-monoids  is  the  well-known  result  of  [Adachi  1983]  and  [Koymans 
1984]. 


Finally,  we  give  necessary  and  sufficient  conditions  for  any  two 
pairings  to  be  pairings  for  the  same,  given  X-monoid  structure.  This 
generalizes  a  similar  result  for  C-monoids  found  in  [Lambek  &  Scott 
1986]. 

The  results  of  the  present  paper  show  that  most  of  the  various 
structures  which  serve  as  models  for  the  X-calculus  have,  when  endowed 
with  a  pairing  system,  elegant  algebraic  formulations  as  monoids.  In 
particular,  we  have  obtained  these  results  without  ever  imposing  the 
condition  of  surjectivity  on  our  pairings,  yet,  all  of  the  results  extend 
easily  to  the  surjective  case. 

Important  for  computer  science  and  the  theory  of  recursive 
functions  in  general  is  the  fact  that  none  of  the  various  structures 
dealt  with  In  this  study  are  required  to  be  extensional  (or  even  weakly 
extensional). 
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Data  abstraction  has  been  widely  recognized  as  an  important  technique  for  designing  pro¬ 
grams  and  the  notion  of  Abstract  Data  Types  (ADT  for  short)  was  invented  for  formally  study¬ 
ing  these  abstraction  techniques.  In  particular,  equational  specifications  of  ADT,  which  posit  a 
set  of  many-sorted  algebraic  objects  to  a  finite  set  of  equations,  enjoy  considerable  popularity 
because  programmers  can  easily  formalize  equations  within  programming  languages  while  pure 
mathematicians  can  easily  study  the  algebraic  objects  specified  by  equations.  However,  many 
people  feel  that  this  approach  creates  more  problems  than  it  solves  [ManesArbib  86,Ch.l4]. 
Such  kind  of  frustration  comes,  we  believe,  partially  from  definitions  of  ADT  or  equivalently, 
interpretations  of  equational  specifications. 

According  to  the  ADJ  group  [Goguen  et  al  75],  an  ADT  is  an  isomorphic  class  of  universal 
algebras.  They  proposed  that  the  class  of  initial  models  (unique  under  isomorphism),  which  are 
the  minimal  algebraic  structure  satisfying  the  given  equations,  are  used  as  the  interpretation 
or  semantics  of  specifications  [Goguen  et  al  75].  In  this  initial-model  approach,  all  functions 
in  a  specification  are  considered  uniformly. 

Another  interesting  isomorphic  class  of  universal  algebras  is  the  ones  isomorphic  to  the 
set  of  algebraic  objects  built  up  uniquely  by  constructors.  In  this  approach,  all  functions  in 
a  specification  are  explicitly  classified  into  constructors  and  nonconstructors  (or  destructors), 
with  the  interpretation  that  the  constructors  and  equations  on  constructors  define  the  model 
(called  constructor  model)  of  a  specification.  This  approach  to  equational  specifications  is 
not  new:  Peano’s  arithmetics,  Boyer  and  Moore’s  shell-principle,  etc.,  can  be  considered  as 
instances  of  this  approach. 

A  serious  problem  in  the  initial-model  approach  is  to  handle  erroneous  and  meaningless 
expressions  as  well  as  incompletely  defined  nonconstructors.  When  some  incomplete  functions 
are  presented,  it  is  often  difficult  to  reconcile  the  initial  object  condition  with  intuitively  correct 
equations  of  the  intended  model.  For  example,  suppose  that  a  specification  defines  '+’  over 
natural  numbers  with  the  equations  E  =  {Q  +  x  =  x,  suc(x)  +  y  =  suc(x  +  y)  }.  In  this  case, 
the  initial  model  of  E  is  (isomorphic  to)  the  natural  number  set  and  the  equation  x  +  y  =  y + x 
is  true  in  the  initial  model.  If  E  is  extended  by  adding  a  single  equation  pre(suc(x ))  =  x, 
then  x+y  =  y  +  xisno  longer  true  in  the  new  initial  model,  since  the  function  pre  is  not 
defined  on  0.  If  pre(  0)  is  substituted  for  x  and  0  for  yinx  +  y=y  +  x,  the  resulting  two 
sides  are  not  congruent.  This  is  not  very  surprising  as  the  initial  object  set  can  be  changed 
with  the  addition  of  a  new  function  symbol  which  may  introduce  new  values.  The  side  effect 
of  this  change  is  that  the  new  initial  model  is  often  very  hard  to  describe  and  is  no  longer  the 


intended  model. 

To  overcome  this  problem,  many  attempts  have  been  tried.  The  sufficient  completeness 
property  of  ADT  specifications  introduced  by  Guttag  [Guttag  75]  has  been  found  useful.  A 
specification  is  sufficiently  complete  if  every  nonconstructor  is  completely  defined  over  construc¬ 
tors.  However,  requiring  every  specification  being  sufficiently  complete  is  often  inconvenient 
and  is  too  restrictive  in  a  system  for  building  specifications. 

It  is  always  possible  that  the  intended  model  can  be  built  up  by  a  minimal  set  of  operators 
(called  constructors).  As  long  as  the  constructor  set  and  their  relations  are  fixed  in  a  speci¬ 
fication,  we  may  consider  that  the  model  of  the  specification  remains  unchanged,  no  matter 
what  functions  have  been  added  and  whether  these  new  functions  are  completely  defined.  This 
intended  model  is  what  we  call  “constructor  model”. 

For  a  given  specification,  the  constructor  model  has  a  close  relation  with  the  initial  model. 
In  terms  of  universal  algebras,  the  constructor  model  is  just  a  subalgebra  of  the  initial  model 
with  constructor  terms  as  its  domains. 

Definition  1  (snbalgebra)  Given  a  signature  ( S,F )  and  an  F- algebra  A  =  (Sa,Fa),  where 
Sa  is  the  domain  of  A  and  Fa,  the  functions  of  A.  An  F -algebra  B  =  ( Sg,Fg )  is  said  to  be 
a  subalgebra  of  A  if  (i)  Fg  —  Fa  and  (ii)  for  each  A3  6  Sa  and  Ba  £  Sg,  we  have  Ba  C  Aa, 
where  s  6  5,  A*  and  Bt  are  the  object  set  of  sort  s  in  A  and  B,  respectively. 

In  contrast  to  the  classical  definition  [BirkhoffLipson  70],  we  do  not  require  that  the  domains 
of  a  subalgebra  be  closed  under  its  operations.  This  is  because  all  the  functions  are  total  in 
an  initial  algebra.  If  we  had  required  that  subalgebras  be  closed  under  functional  application, 
then  an  initial  algebra  could  not  have  any  non-trivial  subalgebras,  except  for  the  case  where 
some  domains  of  such  subalgebras  are  void. 

Let  I{F,E)  denote  the  initial  algebra  specified  by  a  signature  ( S,F )  and  a  set  E  of  equa¬ 
tions.  We  are  interested  in  subalgebras  of  I(F,  E)  such  that  the  domains  of  such  a  subalgebra 
are  not  void  for  each  sort  s  6  5  and  are  determined  by  specifying  a  subset  of  F.  More  precisely, 
for  a  subset  F'  C  F,  we  require  the  domains  of  its  subalgebra  to  be  isomorphic  to  the  free 
term  algebra  T(F')  modulo  the  congruence  =g.  We  say  that  they  are  subalgebras  of  I(F,E) 
with  respect  to  F'  and  write  I(F/F',E)  to  denote  them. 

Theorem  2  Given  S,  F,  E  and  F'  C  F.  The  following  statements  are  equivalent: 

(a)  I(F,E)  is  isomorphic  to  I(F/F',E); 

(b)  The  functions  of  I(F/F',E)  are  total; 

(c)  The  E—  congruence  classes  (modulo  =e)  °f  the  term  algebras  T(F)  and  T(F')  are 
isomorphic. 

Given  a  signature  (S,  F ),  a  subset  C  of  F  and  a  set  E  of  equations  over  F  and  variables,  let 
us  denote  an  equational  specification  by  SP  =  (5,  F,  C,  E),  where  C  is  called  the  constructors 
of  SP  and  F  —  C,  the  nonconstructors  of  SP. 

Definition  3  (constructor  model)  Given  a  specification  SP  =  (S,  F,C,  E),  the  constructor 
model  of  SP  is  the  subalgebra  I(F/C,E)  of  the  initial  model  I{F,E)  with  respect  to  C. 

Example  4  Let  SP  =  ( S,F,C,E )  =  {{iowa},  {0,  suc,pre),  {0,suc},  {pre{suc{x))  =  x}).  The 
domain  of  sort  iowa  in  the  initial  algebra  of  SP  is  neither  the  natural  number  set  nor  the 
integer  set,  it  can  be  represented  by: 


{suc'(prei (0))  |  i,j  €  IN,  the  natural  number  set}, 
which  is  isomorphic  to  IN  x  IN.  An  initial  algebra  of  SP  is 

I{F,E)  =  {N  x  IN,  {0/,  suci,prej}) 

where 

0/  =  (0,0), 

aucj  =  X(i,j).(i  +  l,j), 

preT  =  A(*,j).if  (t  =  0)  then  {i,j  +  1)  else  (t  -  1,  j). 

The  subalgebra  of  the  initial  model  with  respect  to  C  —  {0,  sue}  is: 

I(F/C,E )  =  (lfx  {0},  {0j,  suci,prei}) 

where  0j,  sucj  and  prej  are  the  same  as  in  I(F,E)  above.  By  definition,  I{F/C,E')  is  the 
constructor  model  of  SP  above.  Note  that  the  function  prej  is  not  total  in  I(F/C,E),  since 
prej  ((0,0))  =  (0,1),  which  does  not  belong  to  the  domain  of  I{F/C,E). 

By  definition,  the  subalgebra  of  the  initial  model  with  respect  to  constructors  is  the  con¬ 
structor  model  of  an  equational  specification.  It  is  easy  to  derive  from  Theorem  2  that  if  a 
specification  is  sufficiently  complete,  then  the  initial  model  and  the  constructor  model  of  a 
specification  are  isomorphic.  In  general,  the  constructor  model  and  the  initial  model  are  differ¬ 
ent.  The  advantage  of  the  former  over  the  later  is  that  it  is  easy  to  reconcile  the  initial  object 
condition  among  constructor  terms  with  the  intended  model  and  to  reconcile  the  soundness 
of  equations  in  the  constructor  model  with  intuitively  correct  equations.  Hence,  it  is  more 
natural  and  intuitive  to  use  constructor  model  as  the  ADT  of  a  specification. 

Constructor  model  can  be  also  considered  as  the  initial  model  of  the  sub-specification  of 
a  specification  obtained  by  ignoring  any  nonconstructors.  In  other  words,  every  constructor 
model  has  an  initial  model  specification.  Because  of  the  initiality  of  constructor  models,  the 
constructor  model  approach  inherits  almost  any  advantage  of  the  initial  model  approach  for 
ADT  specifications.  Like  initial  models,  constructor  models  can  be  used  to  justify  the  correct¬ 
ness  of  equational  programs.  Because  every  value  can  be  represented  by  a  syntactical  term, 
a  computing  step  corresponds  to  a  deduction  step  from  a  term  t\  to  another  term  ti  by  a 
set  of  inference  rules.  The  correctness  of  the  computing  is  thus  reduced  to  the  validity  of  the 
equation  t\  =  tz  in  the  constructor  model.  Similarly,  the  validity  of  inference  rules  can  be 
also  verified  in  the  constructor  model.  If  the  equations  in  a  specification  possesses  a  canonical 
rewrite  system  in  which  if  the  right  side  of  a  rewrite  rule  has  non-constructors,  then  its  left  side 
has  also  non-constructors  (called  constructor  preserving  [Kapur  et  al  85]),  then  the  constructor 
model  is  computable  because  the  domain  of  the  constructor  model  is  the  same  as  the  collection 
of  all  the  normal  forms  of  ground  constructor  terms. 

In  [Zhang  88],  the  constructor  model  has  been  used  to  establish  the  soundness  of  inductive 
theorem  proving  techniques  and  to  characterize  different  classes  of  theorems  of  an  equational 
specification.  It  is  shown  that  the  class  of  all  the  equations  valid  in  the  constructor  model  is  a 
superset  of  the  equations  valid  in  the  initial  model,  but  is  a  subset  of  the  equations  which  can 
be  proved  if  we  add  one  more  inference  rule  called  full  consistency  to  the  proof  system  (see 
also  [KapurMusser  84]).  It  is  also  shown  that  the  induction  principle  based  the  constructor 
model,  with  the  rules  of  equational  reasoning  together,  constitutes  a  set  of  inference  rules  that 
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has  the  monotonicity  property  with  extension,  a  desirable  property  for  automated  reasoning 
systems. 

In  [ManesArbib  86]  (pp.327),  it  is  criticized  that  the  initial  model  approach  does  not  provide 
a  satisfactory  explanation  on  the  relation  between  two  ADT  stack  and  queue.  However,  it 
becomes  clear  when  we  compare  their  constructor  sets  because  they  have  the  same  constructors 
(after  renaming).  Both  of  them  can  be  implemented  by  the  ADT  list  because  list  not  only  has 
the  same  constructor  set  as  that  of  stack  and  queue,  but  also  has  a  richer  set  of  nonconstructors 
than  stack  and  queue. 

Finally,  it  is  worth  mentioning  that  the  order-sorted  algebra  approach  by  [Goguen  et  al  85] 
is  compatible  with  the  constructor-model  approach  and  their  results  (including  the  implemen¬ 
tation  results  in  OBJ3  [Goguen Winkler  88])  can  be  carried  over  in  a  natural  form. 

Acknowledgement:  Thanks  to  Monagur  Muralidharan  for  his  useful  comments  on  an  earlier 
draft  of  this  note. 
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Abstract:  When  observing  termination  of 
closed  terms  at  all  types  in  Plotkin’s  inter¬ 
preter  for  PCF  [11],  the  standard  cpo  model 
A  v  is  not  adequate.  We  define  a  new  model, 

A  y,  with  lifted  functional  types  and  prove 
its  adequacy  for  this  notion  of  observation. 

We  prove  that  with  the  addition  of  a  parallel 
conditional  and  a  convergence  testing  opera¬ 
tor  to  the  language,  the  model  becomes  fully 
abstract;  with  the  addition  of  an  existential- 
like  operator,  the  language  becomes  univer¬ 
sal.  Using  the  model  as  a  guide,  we  develop  a 
sound  logic  for  the  language. 

1  Introduction 

The  denotational  semantics  most  appropriate  for  a 
programming  language  depends  crucially  upon  the 
observations  one  makes  about  computations.  In 
general,  an  observation  is  some  important  behav¬ 
ior  of  the  interpreter  [8].  For  example,  in  the  arith¬ 
metic,  higher-order  programming  language  PCF 
[11,  13],  one  usually  chooses  to  observe  the  results 
of  arithmetic  expressions — that  a  term  of  integer 
type  reduces  to  a  numeral.  One  may  also  extend 
the  notion  of  observation  to  arbitrary  terms,  saying 
that  two  terms  are  observationally  congruent  if 
they  produce  the  same  observable  outcomes  in  any 
program  context. 

A  good  denotational  semantics  should  be  able 
to  predict  the  observational  behavior  of  a  term. 
Each  observation  must  therefore  have  a  denota¬ 
tional  meaning.  When  observing  numerals  in  PCF, 
for  example,  M  evaluates  to  78  should  imply  that 
M  means  78.  If  the  converse  holds  as  well,  we  say 
that  the  semantics  is  adequate.  A  perfect  match 
occurs  when  observational  congruence  and  semantic 

*Bofch  authors  were  supported  in  part  by  NSF  Grant  No. 
8511190-DCR,  ONR  grant  No.  N00014-83-K-0125,  and  NSF 
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equality  coincide;  the  semantics  is  then  called  fully 
abstract. 

The  language  PCF,  when  observing  numerals, 
has  a  well-matched  denotational  semantics.  Plotkin 
and  Sazonov  show  that  the  Scott-style,  cpo  model 
A  v  is  adequate  [11, 12].  Moreover,  although  A  v  is 
not  fully  abstract,  the  addition  of  a  parallel  condi¬ 
tional  operator  pcond  to  PCF  makes  the  model  fully 
abstract  under  this  notion  of  observation  [11,  12]. 

There  may  be  other  plausible  choices  for  obser¬ 
vations,  e.g in  a  language  with  stores,  one  could 
observe  the  contents  of  memory  cells.  Other  notions 
of  observation  can  open  a  morass  of  problems.  In 
PCF,  for  example,  one  might  wish  to  observe  terms 
at  higher  type,  t.g.,  printing  a  message  when  a  term 
“equals”  the  identity  function  Xx.x.  One  must  then 
choose  the  sense  in  which  to  compare  terms  of  func¬ 
tional  type:  syntactic  equality  is  probably  too  fine¬ 
grained,  whereas  observational  congruence  of  terms 
is  undecidable  [17].  In  particular,  we  cannot  hope 
to  observe  the  identity  function  in  the  same  way  we 
do  numerals. 

Nevertheless,  one  may  reasonably  observe  termi¬ 
nation  of  terms  of  functional  type.  When  given  a 
term  of  higher  type,  Plotkin’s  interpreter  for  PCF 
will  either  terminate  at  a  A-abstraction  or  diverge. 
For  example,  let  Of7  be  a  term  of  type  <r  that  di¬ 
verges,  and  consider  the  two  PCF  terms  Axr.f2r  and 
qt->t  ^he  pQp  interpreter  will  halt  on  the  first 
term  and  diverge  on  the  second.  In  fact,  most  inter¬ 
preters  for  functional  languages  are  “lazy,”  stopping 
at  A-abstractions  and  printing  some  message  indi¬ 
cating  that  the  computation  will  proceed  no  further 
(e.g.,  LISP  [15].) 

If  we  observe  termination  at  higher  type,  A  v 
fails  to  be  adequate  since  the  meanings  of  the  two 
terms  above  are  both  i..  To  regain  adequacy,  one 
could  change  the  interpreter  to  reduce  inside  A- 
abstractions;  Wadsworth  [16]  and  Cosmadakis  and 
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Meyer  [4,  8]  give  examples  of  such  interpreters.  We 
take  the  opposite  approach  and  try  to  build  a  model 
that  reflects  the  behavior  of  the  interpreter.  We  are 
willing  to  add  new  constants  to  PCF,  as  long  as 
we  do  so  conservatively;  the  interpreter’s  behavior 
should  not  change  on  terms  without  the  new  con¬ 
stants,  and  should  still  stop  on  abstractions. 

We  choose  “termination  of  closed  terms  at  any 
type”  and  “evaluation  to  ground  constants”  as  the 
fundamental  observations.  We  introduce  the  model 
A  y,  built  using  the  common  domain- theoretic  con¬ 
structor  of  lifting,  which  includes  an  extra  element 
at  every  functional  type.  The  extra  element  is  pre¬ 
cisely  what  we  need  to  give  distinct  values  to  \xT*QT 
and  Qr~*r.  We  show  that  A  y  is  adequate,  and 
with  the  addition  of  pcond  (at  all  types)  and  a  con¬ 
vergence  testing  operator  up?,  the  model  becomes 
fully  abstract  for  our  notion  of  observation.1 

In  A  y,  there  is  a  natural  way  to  select  a  set 
of  computable  values  from  the  domains.2  PCF 
terms  always  have  computable  meanings,  but  the 
computable  values  may  not  all  be  programmable. 
We  say  that  a  language  is  universal  for  a  denota- 
tional  semantics  iff  all  computable  semantic  values 
are  definable  [11]. 

In  PCF,  all  computable  first-order  functions  are 
definable;  these  are  precisely  the  partial  recursive 
functions  on  integers.  However,  there  are  many 
higher-order  computable  functions  which  cannot  be 
defined  even  when  the  language  is  extended  with 
up?  and  pcond.  One  of  them  is  a  continuous  ap¬ 
proximation  to  the  existential  quantifier  3  [11].  As 
in  [11],  this  is  essentially  the  only  function  miss¬ 
ing;  once  3  has  been  added,  the  language  becomes 
universal  for  the  model  A  y. 

Adequacy,  full  abstraction  and  universality  mark 
an  intimate  connection  between  PCF  and  the  model 
A  y.  The  point  of  obtaining  such  a  model  is,  in 
part,  to  develop  techniques  for  proving  properties 
about  code.  We  give  some  preliminary  results  in 
defining  a  logic  (based  on  LCF  [6,  13])  for  a  frag¬ 
ment  of  PCF  with  up?.  The  logic  is  shown  to  be 
sound  for  the  model  A  y. 


1  These  results  were  obtained  independently  from  Abram- 
sky  [1]  and  Ong  [9,  10],  who  have  proven  similar  adequacy 
find  full  abstraction  results  for  an  untyped  A-calculus.  Cos- 
madakis  [4]  has  extended  our  results  to  a  language  with  prod¬ 
uct,  sum,  and  recursive  types. 

2  Every  isolated  element  [14]  in  the  model  may  be  given  a 
Godel  number  n;  an  arbitrary  element  d  is  computable  if 
{n  :  cn  is  isolated  and  en  C  d}  is  r.e. 


(A  x.M)N 

— 

M 

w 

succ  n 

— ► 

n  + 1 

pred  n 

n— 1 

zero?  0 

— ► 

tt 

zero?  (n  +  1) 

ff 

cond  it  M  N 

— *. 

M 

cond  ff  M  N 

N 

Y  M 

— 

M(YM) 

M  -+M' 

MN  —  M'N 

N  — ►  N* ,  c  €  {pred,succ,cond,zero?} 
ctV  — *•  cNf 

Figure  1:  Operational  Rules  for  PCF 

2  Review  of  PCF 

The  language  PCF  is  simply-typed  A-calculus,  with 
types  given  by  the  grammar 

a  ::==  t  |  o  \  <r—><r 

The  type  constants  i  and  o  are  used  for  integers 
and  Booleans  respectively.  Structured  rewrite  rules 
for  the  interpreter  are  given  in  Figure  1.  We  write 
M  -#•  N  when  M  reduces  to  N  in  zero  or  more  steps 
of  evaluation.  A  term  M  is  stopped  if  it  cannot  be 
rewritten  further.  For  example,  A:r»succ3  does  not 
rewrite  further,  despite  the  fact  that  it  has  a  redex 
as  a  subterm.  This  is  essentially  the  language  given 
in  [11].  The  main  difference,  aside  from  notation,  is 
that  pred  0  0  rather  than  stopping. 

3  The  Model 

Our  model  of  PCF,  A  y,  is  based  on  Scott  domains 
[14]  as  is  the  standard  model  A  v*  The  base  types 
are  the  same  in  both  models,  with  A  vM  =  F)L  = 
{±,0,1,2,...}  and  A  vM  =  D°  =  or¬ 

dered  J.  C  x  for  all  x .  The  difference  between  the 
two  models  appears  at  higher  type;  in  A  v>  the  func¬ 
tional  types  are 

A  vl [<r— ►r]  =A  vM 

where  D  E  is  the  cpo  of  continuous  functions 
from  D  to  E  ordered  pointwise  [11,  13].  In  A  y, 
we  lift  each  function  space  once: 

A  Y[<r  -  r]  =  D°  ~ r  =  (U  yH  ±A  Y[r])  ± 


If  D  is  a  domain,  (D)±  is  D  with  a  new  bottom 
element  added  [1,  9, 10].  Concretely,  the  elements  of 
(D)x  are  {(d,  0)  :  d  €  D}  U{±.},  ordered  with  ICd 
for  all  d,  and  <d,  0)  C  (d', 0)  iff  d  C  d'.  The  function 
ft  :  D  (D)x  with  ftd  =  (d,  0)  is  an  injection; 
the  function  :(D)X  A  with  ^(^>0)  =  ^  an<* 
JJJ.  =  X,  is  the  corresponding  projection. 

Given  these  elements,  we  assign  meanings  to 
terms  using  an  environment  model  [2,  5,  7]  in  the 
usual  way.  Constants  of  base  type  mean  the  obvious 
elements  in  the  domains,  and  constants  of  higher 
type  mean  lifted  functions.  The  equations 

A  y[MN]p  =  y {M]p)  (A  y{N}p) 

A  y{\x.M}p  =  1Y/, 

where  /(d)  =  A  yM(/>[*  <*]),  specify  the  mean¬ 

ings  of  applications  and  abstractions. 

4  Adequacy,  Full  Abstraction,  and 
Universality 

Having  defined  the  model  A  y  that  distinguishes  Q 
and  Aa:X2,  we  may  ask  to  what  extent  the  opera¬ 
tional  semantics  and  the  model  agree.  A  first  cri¬ 
terion  is  adequacy  [3,  8,  11]:  the  semantics  should 
predict  the  observational  outcome  of  interpreting 
a  term.  We  have  chosen  to  observe  closed  terms 
evaluating  to  a  numeral  at  base  type,  and  halting 
at  higher  type.  Denotationally,  this  corresponds  to 
meaning  a  number  at  base  type,  and  meaning  any¬ 
thing  but  X  at  higher  type.  For  our  notion  of  ob¬ 
servation,  A  y  is  an  adequate  model: 

Theorem  1  (Adequacy)  The  lifted  model  A  y  is 
adequate  for  PCF  with  respect  to  observing  numer¬ 
als  and  termination ,  i.e.,  for  closed  terms  M ,  inte¬ 
gers  n,  and  proper  Booleans  b, 


A  y{M}p 

=  n 

iff 

M  n 

A  y{M\p 

=  6 

iff 

M  b 

A  y| M}p 

iff 

evaluation  of  M  halts. 

A  fully  abstract  model 

allows  one  to  substitute 

denotational  reasoning  for  operational  reasoning. 


in  the  cpo  semantics,  facilities  that  can  make  dis¬ 
tinctions  between  observationally  congruent  terms. 
The  same  is  true  of  A  yJ  it  also  contains  parallel 
elements. 

One  way  to  achieve  full  abstraction  is  to  extend 
the  language.  We  add  a  parallel  conditional  opera¬ 
tor  pcond,,  :  o  — ►  <r  — ►  <r  — *■  c  for  all  types  <r,  with  the 
reduction  rules  ( cf  [11]) 


pcond,,  it  M  N  — ► 
pcond„  ff  M  N  — * 
pcond  „  B  c  c  — ► 
(pconda_>£  B  M  N)  Q  — * 
pcond^ 


M 

N 

c,  where  =  o,  i 
B  (M  Q )  (N  Q ) 


_ B-+B* _ 

pcond„  B  M  N  — ►  pcond„  B*  M  N 


_ M-+M* _ 

pcond„  B  M  N  —*■  pcond„  B  Mf  N 

_ N-+N’ _ 

pcond„  B  M  N  — *■  pcond„  B  M  N* 

But  even  with  this  addition,  A  y  still  makes  too 
many  distinctions  between  terms: 

Theorem  2  The  model  A  y  is  not  fully  abstract 
for  PCF- hpcond  when  observing  termination. 

The  reason  for  this  failure  is  that  PCF  cannot  itself 
make  all  of  our  observations.  It  can  observe  numer¬ 
als,  in  the  sense  that  there  is  a  term  Tn  such  that 
TnM  It  iff  M  satisfied  the  observation  “evaluates 
to  n.”  However,  one  can  show  that  there  is  no  such 
PCF-definable  test  for  convergence  at  higher  type. 

The  solution  is  simple;  we  add  convergence  test¬ 
ing  (cf.  [1,  9,  10])  to  the  language.  At  every  type, 
we  add  the  operator  up?  with  the  rules 

up?c  — *  tt 
up?  (A x.M)  —►  tt 

M  ^M' 
up?  M  — ►  up?  M* 

Theorem  3  (Full  Abstraction)  A  y  is  fully  ab¬ 
stract  for  PCF+  pcond  +  up?  when  observing  termi¬ 
nation. 


Definition  1  A  denotational  semantics  [•]  is  fully 
abstract  (with  respect  to  a  set  of  observations)  if 
for  any  terms  M,N,  [M]  =  [N}  iff  M  and  N  are 
observationally  congruent. 

Plotkin  [11]  and  Sazonov  [12]  show  that  A  v  is  n°t 
fully  abstract:  PCF  lacks  parallel  facilities  present 


In  order  to  achieve  universality  for  A  y ,  an  exis¬ 
tential  quantifier,  which  introduces  unbounded  par¬ 
allelism  into  the  interpreter,  must  be  added  to  PCF 

tn]- 

Theorem  4  (Universality)  PCF  with  the  opera¬ 
tors  pcond,  up?,  and  3  is  universal  for  A  y. 
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5  Logic  for  Lifted  PCF 

The  adequacy  and  full  abstraction  theorems  show 
that  A  y  is  a  suitable  guide  for  developing  reason¬ 
ing  principles  for  code.  A  logic  based  on  A  y  should 
prove  inequations  between  terms  rather  than  equa¬ 
tions.  The  constant  cond  also  requires  reasoning  by 
cases ,  viz.,  if  an  inequation  is  true  when  a  Boolean 
term  is  tt,  ff,  or  D,  the  inequation  should  hold. 

The  wffs  in  the  logic  have  the  form  P  b  M  C  N, 
where  P  is  a  set  of  inequations  (c/.  [13]).  We  write 
P  h  M  =  N  as  shorthand  for  P  b  M  C  N  and 
P  b  N  C  M.  Due  to  a  lack  of  space,  we  give  two 
examples  of  axioms  rather  than  the  full  logic: 

0  b  M  C  Ax.M  x 
0  b  M  C  cond  (up?  M )  M  N 

(The  first  resembles  ^reduction  [2];  note  that  the 
rule  0  b  A x.M  x  C  M  is  not  sound,  however,  since 
it  is  not  the  case  that  A  y|Ax.f2  x]  C  A  y|OJ.)  One 
can  then  show  the  following  about  the  logic: 

Theorem  5  (Soundness)  If  0  b  M  C  N,  then 
Ay[M]QAy[N]. 

The  converse  necessarily  fails — the  set  of  true  in¬ 
equations  is  not  axiomatizable  [13]. 
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1.  Introduction 

Many-sorted  (conditional)  equational  logic  is  the  most  established  basis  to  the  algebraic  approach  to  abstract  data  type  (ADT) 
specification  (see  e.g.  [EM  85]).  However  this  logic  proves  somewhat  inadequate  in  many  practical  situations,  e.g.  it  entails 
writing  a  large  amount  of  equations  to  deal  with  error  cases  and  partially  defined  functions.  Order-sorted  algebras  [G  78]  were 
proposed  in  order  to  overcome  such  practical  inadequacies.  Nonetheless  the  order-sorted  approach  is  not  sufficiently  flexible 
to  deal  with  some  aspects  of  ADT  specification  (see  [M  88]  for  a  technically  detailed  criticism  and  [P  88]  for  a  more  flexible 
approach  to  sort  ordering  and  dependent  types). 

The  A  logic  presented  in  this  paper  is  a  generalization  of  many-sorted  equational  logic  that  extends  ‘reasoning  with  equations* 
towards  ‘reasoning  with  equations  and  type  assignments’.  It  provides  a  single,  unified  framework  capable  to  cope  with  diverse 
phenomena  such  as  partiality ,  polymorphism  and  dependent  types .  In  Section  2  we  illustrate  and  support  this  claim  by  simple 
examples.  Section  3  is  an  overview  of  formal  definitions  and  results.  Here  we  summarize  the  main  intuitions  behind  this  logic. 

1 .  Elements  and  sorts  (or  types,  which  from  now  on  we  use  synonymously)  are  merged  in  a  single  carrier  equipped  with  a 
binary  typing  relation ,  which  assigns  types  to  elements  (hence  types  are  elements  themselves).  This  immediately  introduces 
partiality  because,  in  general,  an  operation  is  defined  only  on  elements  of  suitable  types.  Moreover,  one  gets  a  great  amount  of 
flexibility  and  generality:  several  types  may  be  assigned  to  an  element,  operations  may  take  type  arguments  or  yield  types,  etc. 

2.  Usual  ADT  presentations  consist  of  two  parts:  a  static  one  which  defines  the  signature  and  a  dynamic  one  which  presents 
the  axioms.  A  A  presentation,  in  a  more  general  way,  merges  the  type  constraints  and  the  equality  ones.  In  fact,  A  formulae  are 
conditional  formulae  where  equations  and  type  assignments  may  occur  indifferently  in  the  premise  and  in  the  conclusion. 

These  intuitions  were  first  exploited  in  [MS  88]:  the  typed  equational  logic  introduced  there  is  an  extension  of  many-sorted 
equational  logic  exactly  in  the  sense  mentioned  above,  and  soundness,  completeness,  and  initiality  results  were  established  for 
it.  The  semantics  was  set  in  a  partial-algebraic  framework  [ABN  80].  The  pragmatics  of  that  logic  were  further  investigated  in 
[MSS  88],  where  we  also  addressed  the  pragmatic  question  of  how  to  cater,  in  that  framework,  for  functions  that  are  partially 
defined  but  non-strict  ( ifjhenjelse_  is  a  typical  example  of  such  a  function).  We  found  that  the  typing  relation  may  offer  a 
correctness  tool,  in  the  sense,  for  instance,  that  one  may  view  as  meaningless  terms  -  but  now  we  could  otherwise  say:  terms 
representing  underdefined  elements,  see  below  -  those  terms  to  which  no  type  can  ever  be  assigned  (in  a  given  presentation). 
We  also  noted  that  type  as  a  ‘correctness  tool’  is  a  concept  that  appears  at  the  early  days  of  mathematical  logic  {e.g.  Russell). 

Solicited  by  an  anonymous  referee,  and  inspired  by  Mosses’  Unified  Algebras  [M  88),  we  reconsider  our  former  enthusiasm 
for  partial  algebras  under  a  more  critical  light,  coming  to  the  conclusion  that,  to  offer  an  adequate  representation  of  partiality, 
one  need  not  necessarily  embark  on  the  semantical  complications  of  the  theory  of  partial  algebras  (we  refer  the  reader  to  the 
‘Introduction’  in  [R  87]  for  a  concise  summary  of  those  complications).  The  step  of  the  present  work  from  our  former 
approach  is  precisely  this:  replacing,  in  the  general  case  rather  than  in  special  ones,  the  syntax-sided  notion  of  meaningless 
term  with  the  semantics-sided  notion  of  underdefined  element  ("ideal  element",  following  Hilbert).  This  amounts  to  choose  as 
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semantical  framework  total,  rather  than  partial,  one-sorted  algebras,  yet  still  equipped  with  a  binary  typing  relation.  More 
precisely,  we  will  consider  any  element  of  the  single  carrier  of  any  such  algebra  to  be  underdefined  if  neither  any  type  is 
assigned  to  it  nor  is  itself  a  type  assigned  to  some  element  of  the  carrier.  In  addition  to  the  advantages  that  follow  from  the 
greater  simplicity  of  a  total  algebra  framework,  a  further  gain  seems  to  be  available  on  the  methodological  side  too,  in 
connection  with  formal  notions  of  refinement  and  implementation  of  specifications:  elements  that  are  underdefined  at  a  certain 
stage  of  a  software  engineering  process  may  become  defined  at  a  later,  less  abstract  stage  •  e.g.  when  some  specific 
classification  of  exceptions  is  desired.  The  first  example  below  illustrates  the  exception  by  default  principle,  useful  at  the  more 
abstract  stages  of  software  design. 

Two  more  examples  illustrate,  in  complementary  cases,  the  natural  place  that  generality  of  description  finds  in  our  framework. 
As  a  matter  of  fact,  we  find  that  both  type  polymorphism  (parameterization  by  types)  and  dependent  types  (parameterization  by 
values)  are  representatives  of  the  same  species:  functional  abstraction.  The  freedom  of  term  construction  as  a  facility  to 
express  types  demolishes  the  syntactical  barriers  that  in  ad-hoc  approaches  make  a  uniform  treatment  so  difficult  to  achieve. 
Due  to  space  limitations,  the  examples  of  the  next  Section  have  austere  explanations  and  the  formal  overview  of  Section  3 
gives  just  essential  definitions  and  results  with  no  proof.  The  full  paper  [MSS  89]  is  committed  to  a  duly  comprehensive 
treatment,  where  also  the  further  results  and  investigations  mentioned  in  Section  4  are  argued  in  technical  detail. 

2.  DELTA  specification  examples 

Why  yet  another  logic?  The  answer  takes  here  the  form  of  a  few  simple  examples.  Our  bare  syntax  is  as  follows:  essentially,  a 
A  specification  is  a  named  A  presentation  (see  definitions  3.6  and  3.7)  using  declared  variables,  with  the  smallest  (one-sorted, 
ranked:  see  definition  3.1)  signature  that  is  compatible  with  the  axioms  of  the  presentations. 

The  theory  of  ADT’ s  is  often  identified  with  the  theory  of  stacks,  due  to  the  popularity  of  the  stack  data  type  as  specification 
example.  The  basic  trouble  is  found  here  in  determining  which  outcome  should  be  expected  from  popping  or  topping  the 
empty  stack.  With  the  following  specification  (on  the  left  hand  side)  the  terms  pop(empty)  and  top(empty),  among  others, 
denote  underdefined  elements  because  they  occur  in  no  type  assignment  of  the  STACK  A  theory. 


spec 

STACK 

spec 

IDENTITY  (type) 

var 

s,  i 

var 

x,  d,  c,  f,  t 

in 

empty :  stack 

in 

d :  type,  c :  type  d  to  c :  type 

s  :  stack,  i :  item  —>  push(s,i)  :  stack 

x  :  d,  f :  d  to  c  -»  apply(f,x) :  c 

s  :  stack,  i :  item  pop(push(s,i))  =  s 

t :  type  — >  id  t :  t  to  t 

s  :  stack,  i :  item  ->  top(push(s,i))  s  i 

t :  type,  x :  t  apply(id  t,  x)  =  x 

end 

end 

The  identity  function  is  a  well-known  example  of  higher-order  polymorphic  function:  in  the  example  on  the  right  hand  side 
above,  a  generic  ‘type’  parameter  is  declared,  to  enable  one  to  specialize  the  definition  as  desired.  For  instance,  when  using 
such  a  definition  in  the  context  of  a  functional  programming  language,  the  parameter  is  to  be  instantiated  by  the  (higher-order) 
type  of  the  basic  types  of  that  language.  Note  that  the  syntax  is  assumed  to  allow  both  binary  infix  and  unary  prefix  operators. 
Somewhat  relating  to  the  previous  example,  we  show  a  use  of  dependent  types  in  our  last  example,  which  can  be  compared 
with  the  similar  example  in  [P  88],  slightly  but  necessarily  less  parsimonious  -  in  our  opinion  (argumentation  in  [MSS  89]). 


spec 

CATEGORY  (obj,  horn) 

var 

x,  y,  z,  w,  f,  g,  h 

in 

f :  hom(x,y)  ->  dom  f :  obj 

f :  hom(x,y)  -»  cod  f :  obj 

f  :  hom(x,y)  — >  dom  f  =  x 

f :  hom(x,y)  — >  cod  f  s  y 

x  :  obj  — >  id  x  :  hom(x,x) 

f :  hom(x,y),  g  :  hom(y,z)  f ;  g  :  hom(x,z) 

f :  hom(x,y)  (id  x) ;  f  s  f 

f:hom(x,y)  — >  f ;  (id.  y)  =  f 

f :  hom(w,x).  g  :  hom(x,y),  h :  hom(y,z)  (f ;  g) ; 

;h  =  f;(g;h) 

end 
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3.  Overview  of  DELTA 


3.1  Definition  Let  £1  be  a  one-sorted  algebraic  signature,  i.e.  a  set  of  operators  each  with  a  number  specifying  its  arity.  A  A 
^-algebra  A  is  a  pair  <A,  :A>,  with  A  a  one-sorted  (total)  £2-algebra  and  :A  (the  typing)  a  binary  relation  on  the  carrier  A  of  A. 0 

3.2  Definition  A  A  morphism  from  a  A  Q-algebra  A  into  a  A  Q-algebra  B  is  a  morphism  <(»:  A  — »  B  that  respects  the  typing, 
i.e.  such  that  if  ai  :*  a2  then  <t>(at)  :b  <K^2)-  ® 

3.3  Definition  A  A  congruence  on  a  A  algebra  A  is  a  pair  0  =  <=0,  '9  >  of  binary  relations  on  A  such  that: 

(i)  SQ  is  a  congruence  on  A; 

(ii)  if  ai  S0  bi  and  ai  :0  c,  then  bi  :0  c ; 

(iii)  if  ai  s0  bi  and  c  :0  ai,  then  c  :0  bi 

(iv)  :a  G  :e  •  0 

3.4  Definition  If  0  =  <=0,  :9  >  is  a  A  congruence  on  A,  then  we  let  [a]0  denote  the  congruence  class  [ah  and  define  the 

A  quotient  A/Q  to  be  the  A  algebra  <A/s0,  :^0  >  where  the  typing  relation  is  defined  by  [a]0  :^e  Me  iff  there  exist  a' s  [a]0  and 
b'  e  [b]0  such  that  a'  :0  b'.  0 

3.5  Definition  Ta(V)  =def  <Tq(V),  0>  is  the  term  A  algebra  of  signature  £1  and  variables  V ,  where  Ta(V)  is  the  standard 
term  algebra.  0 

3.6  Definition  atomic  A  formula:  (i)  tl  =  t2  (equations) 

(ii)  tl :  t2  (type  assignments)  with  tl,  t2  e  T£2(V), 

A  formula:  (iii)  T  -» a 

with  a  an  atomic  A  formula,  called  conclusion,  and  T  a  finite,  possibly  empty  set  of  atomic  A  formula:,  called  assumption.  0 

3.7  Definition  A  A  presentation  is  a  triple  <£2,  V,  E>,  where  E  is  a  finite  set  of  A  formulae  on  £2  and  V.  0 

Substitution,  assignment,  evaluation  have  the  usual  definitions.  By  the  evaluation  lemma  (existence  of  a  unique  A  morphism 
extending  a  given  assignment)  term  evaluation  is  determined  by  assignment  A  satisfaction  is  then  defined  as  one  expects.  The 
A  calculus  |-A  is  a  binary  relation  between  A  presentations  and  A  formulae  that  is  constructed  using  two  axiom  schemas  and 
eight  inference  rule  schemas  (collectively  termed  rules  of  the  A  calculus,  for  short)  in  the  usual,  proof-theoretic  way.  The  rules 
are  presented  in  Table  1,  where,  understanding  the  signature  £2  and  variables  V  (as  we  will  often  feel  free  to  do),  we  adopt  the 
following  notation:  (i)  t,  u  (possibly  with  subscripts)  are  terms,  (ii)  a,  P  are  atomic  formulae,  (iii)  r  is  an  assumption,  (iv)  <|>  is  a 
formula,  (v)  o  is  a  substitution  :  Tq(V)  ->  Tq(V),  extended  to  formulae  in  the  usual  way,  (vi)  to  is  a  k-ary  operator.  0 


1. 

E  Ha  (<*)  a 

Tautology 

2. 

//  E  |-A  r  -»  a  then  E  |-a  Tu{P]  -»  a 

Monotonicity 

3. 

H  [— A  t  =  t 

Reflexivity 

4. 

If  E  |-A  T  — »  q  a  t2  then  E  |-A  T  -*  t2  ■  tj 

Symmetry 

5. 

//  E  |-A  r  ->  t!  =  t2  and  E  |~a  r  ->  t2  *  t3  then  E  ha  r  tx  =  t3 

Transitivity 

6. 

If  E  |— A  r  — >  oc  then  E  |— A  cr(F)  — >  <j(cc) 

Substitution 

7. 

If  E  l-A  r  -»  ti  s  Ui  (i=l,...Jc)  then  E  K  r  o>(ti,...,tk)  ■  co(u1,...,uk) 

Replacement 

8. 

If  E  [-A  Tu{a)  p  and  E  |-A  T  — »  ct  then  E  |-A  T  — »  P 

Modus  Ponens 

9. 

// E K T ->ti  =  t2  and  E ha r-»ti:u  then  E[-Ar-»t2:u 

Typing  equals 

10. 

//  E  |-A  T  -»  ui  s  U2  and  E  ha  r  t :  U!  then  E  |— A  T  — >  t :  U2 

Equating  types 

Table  1 :  The  rules  of  the  A  calculus 


3.8  Proposition  The  A  calculus  is  sound :  if  the  A  algebra  A  satisfies  the  presentation  E,  then  it  satisfies  any  formula  derivable 
from  E;  in  symbols:  (A  1=  E  a  E  |-a  <t>)  =*  A 1=  <|>.  0 

3.9  Theorem  The  A  calculus  is  complete',  if  the  formula  4>  is  a  logical  consequence  of  the  presentation  E,  then  it  is  derivable 
from  E;  together  with  the  soundness  (proposition  3.8),  this  is  formulated  as:  E  |-a  <)>  <=>  E 1=  $ .  0 

Let  Tq  denote  the  ground  term  A  Q-algebra;  Tq/E  is  then  the  quotient  of  Ta  by  the  A  congruence  defined  via  the  A  calculus. 

3.10  Theorem  Tq/E  is  initial  in  the  class  of  A  £2-algebras  that  satisfy  E.  0 

4.  Summary  of  further  results,  current  work  and  future  developments 

Further  results  have  been  obtained  in  [MSS  89]  relating  to  representation  in  A  of  order-sotted  logic  [G  78]  and  of  the  logic  of 
partial  algebras  [B  86],  [BW  82].  For  instance,  if  O  is  an  order-sorted  presentation  and  6  a  formula  of  that  logic,  then  O  l=os  <t> 
iff  XA(0)  ]-A  ta(<(>),  where  XA  is  a  suitable  translation  operator.  In  a  similar  manner  A  enables  one  to  obtain  calculi  and 
completeness  theorems  for  the  logic  of  partial  algebras,  as  well  as  other  logics  (category  theory).  On  the  computational  side, 
generalizations  of  the  confluence  results  presented  in  [BK  86]  are  available  for  A. 

We  arc  currently  studying  the  potential  of  A  for  applications,  e.g.  specification  of  software  systems:  notions  of  hierarchy  and 
modularity  are  here  the  main  topics  of  investigation.  Some  future  work  will  be  concerned  with  a  particular,  especially 
intriguing  application  domain:  the  algebraic  formulation  of  significant  fragments  of  natural  language  grammars.  We  dared  a 
glimpse  at  this  area  in  our  previous  work  [MSS  88]  and  were  encouraged  for  a  great  ease  of  expression,  which  ensues  with 
integrating  equality,  types  and  term  construction. 
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In  this  paper  we  show  an  algebraic  transformation  of  sequential  specifications  to  the  equivalent 
concurrent  specifications.  Here,  we  consider  sequential  specifications  in  the  form  of  regular 
expressions  extended  with  a  declaration  of  the  actions  that  are  independent  and  have  a  potential  for  a 
concurrent  execution.  This  kind  of  a  sequential  specification  can  be  represented  in  the  sequential 
programming  language,  called  Banach.  (Banach  has  been  designed  by  us  in  such  a  way  that  the 
programmer  does  not  have  to  be  concerned  about  synchronization  details,  [JM88,  JM89].)  The 
concurrent  specification  can  be  translated  into  an  equivalent  concurrent  specification,  and  finally  into  a 
concurrent  programming  language,  such  as  Occam. 

The  above  results  have  important  applications  in  software  technology.  The  user  of  the  Banach 
programming  language  can  take  advantage  of  the  increased  efficiency  of  concurrent  architectures,  and 
at  the  same  time  she/he  can  concentrate  on  algorithms  being  implemented  and  disregard  technical 
issues,  such  as  low-level  synchronization  details.  The  (automatic)  transformation  of  the  provided 
sequential  specification  will  yield  an  equivalent  concurrent  specification.  This  approach  has  its  origin 
in  research  described  in  [J81,  LH82.] 

A  sequential  specification  of  executions  of  actions  from  some  alphabet  A  is  given  by  a  regular 
expression  R.  The  semantics  of  this  specification  is  defined  by  two  components  ([J85,  JL88]):  the  set 
RFS(R)  of  resulting  histories  of  R  defined  as  the  language  generated  by  the  expression  R,  and  the 
set  FS(R)  of  histories,  (or,  firing  sequences),  defined  as  Pref  (RFS(R));  where  for  a  language 

LcA*  Pref(L)  =  {x€A*:  3y€ A*  (xy€L)}. 

Concurrent  regular  expression  is  of  the  form  CR  =  Rill...llRn,  where  for  i=l,...,n;  Riis  a 
regular  expression.  The  semantics  of  concurrent  expressions  can  be  defined  in  an  algebraic  way, 

using  vector  sequences  [Shi79].  First,  for  any  action  x€  A,  where  A  is  the  alphabet  of  CR  defined  as 
the  union  of  alphabets  of  component  expressions  Rit  we  denote  by  &  the  vector  [hi(x),...,hn(x)], 
where  hj(x)  is  a  if  x€  Ai,  and  8  otherwise  (here,  s  is  a  distinguished  element  denoting  null)  Then  we 
put  vect(L)  =  {x:  x€L},  for  any  Lc  A*.  Now,  the  semantics  of  CR  is  defined  by  the  set  of 
resulting  histories 

RVFS(CR)  =  vect(A*)nRFS(Ri)x...xRFS(R„) 
and  the  set  of  histories 

VFS(CR)  =  vect(A*)n  FS(Ri)  x...x  FS(Rn). 

Both  these  sets  are  closed  under  the  operation  Pref . 

Note  that  the  above  semantics,  described  in  terms  of  vector  firing  sequences,  can  be  equivalently 
described  using  Mazurkiewicz's  traces  (see  [Maz77,  Maz86]); 


For  u,v  €  A*,  a  shuffle  of  u  and  v  is  defined  as 

sh(u,v)={uiviu2...unvn:  u=uiu2-..un ,  v=viV2...vn  for  i  =  l,...n,  ui€  A*,  vj€  A*}. 

For  Li,  L2C  A*,  we  put 

Sh(Ll,  L2)  =  U{u€Li,v€L2)  Sh(U,v). 

Now,  we  define  a  parallel  composition  of  words  and  languages.  For  a  partition  Ai,  A2  of  A  and 

u€Ai*,v€A2*  we  put 

ullv  =  sh((A2-Ai)*,u)  fl  sh((Ai-A2)*,v) 
and  for  Li  C  Ai*,  L2C  A2*  we  put 


L1IIL2  *  {x:  x  ■  ullv,  u€Li,  v€L2). 

By  associativity,  we  extend  the  operation  II  to  n  words  and  n  languages,  n^2.  Then,  for  a 
CR:RilL.IIRn  we  can  define  the  set  of  resulting  histories  as  a  parallel  composition  of  resulting 


histories  of  components: 

RFS(Ri)ILJlRFS(Rn)  <  ....... 

and  similarly,  we  define  the  set  of  histories  as  a  parallel  composition  of  histones  of  components. 

FS(Ri)IUlFS(R„).  ...  .  . 

By  a  p-concurrent  regular  expression  (a  potentially  concurrent  expression)  we  mean  a 
regular  expression  R,  the  alphabet  of  which  is  partitioned  into  a  finite  number  of  subsets  (intuitively, 
actions  that  are  mutually  dependent  occur  in  the  same  subset.)  Thus,  a  p-concurrent  regular 
expression,  (PCR)  is  a  pair  (R,  A=AiuA2U...uAn)  where  A  is  the  alphabet  of  R.  We  define  the 
semantics  of  p-concurrent  expressions  using  vector  firing  sequences  (comp,  [Jan85].)  The  set  of 
resulting  histories  of  the  p-concurrent  expression  is  defined  as 


RVFS(CR)  =  vect(RFS(R))  . 

and  the  set  of  histories  of  the  p-concurrent  expression  is  defined  as 
VFS(CR)  -  Pref  (vect(RFS(R)))  =  Pref  (RVFS(CR)). 

Here,  R  is  the  first  component  of  CR.  .  T  T , 

As  above,  the  semantics  of  p-concurrent  regular  expressions  can  be  defined  using  traces:  Let  1  be 

an  independence  relation  over  the  alphabet  A  of  a  CR:  (R,  A= Ai  u  A2U ...  u  An)  defined  as  follows: 


(u,v)  €  I  if  V  i,  u  ^  Ai  or  v  $  Ai.  We  denote  by  ind  a  relation  over  A*  associated  with  the  relation  I: 


(u,v)  €  ind  if  v  can  be  obtained  from  u  by  permuting  successive  letters  that  are  in  the  relation  L  For  a 

language  LC  A*,  a  trace  language,  tr(L)  is  a  set  of  equivalence  classes  L/ind  of  elements  of  L. 

Now,  we  define  resulting  histories  as  tr  (RFS(R)),  and  histories  as  Pref  (tr(RFS(R))). 

As  mentioned  above,  p-concurrent  regular  expressions  have  a  potential  for  a  concurrent  execution. 
In  order  to  reveal  this  potential,  for  a  given  p-concurrent  expression  PCR  we  should  find  a  concurrent 
expression  that  will  be  equivalent  to  this  PCR.  For  this  sake,  we  now  describe  a  transformation  Q 
of  p-concurrent  expression  PCR  :  (R,  A=AiuA2U...uAn)  into  concurrent  expression  CR  of  the  form 
CR:  Rill.JIRn  (see  [Jan85.])  Each  of  the  component  expressions  is  formed  by  erasing,  or  the 
concealment  in  R  of  these  actions  that  do  not  appear  in  Ai.  Thus,  Alpha(R0  =  Ai  and  RFS(Ri)  = 
hi(RFS(R)).  The  transformation  Q  is  not  a  function,  that  is  there  may  be  more  than  one  element  of 

p(PCR).  From  the  definition  of  Q  it  follows  that 

Rl  II...II  Rn€ ?(PCR)  iff  (V i)  RFS(Ri)  =  RFS(PCRie) 
where  PCRi®  is  derived  from  PCR  by  replacing  all  elements  of  A-Ai  by  S. 

We  say  that  a  p-concurrent  regular  expression  PCR  =  (R,  A=AiuA2U...uAn)  is  proper  if  C(PCR) 
is  equivalent  to  PCR,  that  is 

VFS(PCR)  =  VFS(?(PCR))  and  RVFS(PCR)  =  RVFS(?(PCR)). 

(The  above  equalities  are  well-defined  because  for  |i,  |2^C(PCR)  we  have  VFS(|i)  =  VFS(|2)  and 


RVFS(5i)  =  RVFS(|2).) 


Example 

PCR:  a ; b ; c  Ai={a,b}  A2={a,c}  £(PCR)3CR:  ( (a;c)  I  I  (b;c))  ■ 

Since  the  computations  of  PCR  produce  the  same  histories  and  resulting  histories  as  the  computations 
of  CR,  the  above  PCR  is  proper.  In  general,  a  PCR  and  a  resulting  CR  may  have  different  sets  of 
histories  and  identical  sets  of  resulting  histories,  or  identical  sets  of  histories  and  different  sets  of 
resulting  histories.  An  example  of  the  former  case  is 

PCR:  (a;c;e) ,  (b;d;f)  Ai  =  {a, e,b, f },  A2  =  {c, e, d,  f } 

<?(PCR)3CR:  ( (a;e) ,  (b;f) )  I  I  ( (c;e) ,  (d;f) ) 
for  which  the  sets  of  resulting  histories  are  identical,  but  the  set  of  histories  of  CR  includes  the 
sequence  ad,  (leading  to  a  deadlock),  which  clearly  is  not  a  history  of  the  PCR.  An  example  of  the 
latter  case  is 

PCR :  (a,b)  *  Ai={a)  A2  =  {b)  C(PCR)sCR:  a*  |  |b* 
for  which  the  sets  of  histories  are  identical,  but  resulting  histories  of  the  PCR  must  have  the  same 
number  of  occurrences  of  a's  and  b's,  while  resulting  histories  of  the  CR  contain  arbitrary  number 
of  these  actions. 

Note  that  in  the  above  examples  p-concurrent  expressions  were  not  proper  because  of  the  conflict 
between  the  choice  constructor and  the  independency  relation:  independent  actions  occurring  in 
branches  of  the  choice  were  mapped  by  Q  to  different  components  of  the  parallel  construct  II.  Thus, 
we  introduce  synchronization  guards  which  are  in  conflict  with  such  actions.  Synchronization  guards 
will  be  inserted  into  alternatives  and  loops.  Formally,  let  I  be  a  class  of  synchronized  p- 
concurrent  regular  expressions  defined  by  the  following  grammar: 

expr  ::=  el  I  el;  el 

el  ::=  action  I  (A;  expr)*  I  (expr)  I  alt  (A  is  called  a  synchronization  guard) 
alt  ::=  expr,  (A; expr) 

such  that  for  i(a)  =  {j:  a€  Aj }  the  following  conditions  are  satisfied: 

•  for  each  loop  ( A;expr)*  V  b  €  Alpha(expr)  ( i(b)  C  i( A) ) 

•  for  each  alternative  (exprl,  (A;  expr) )  V b  €  ( Alpha(exprl)U  Alpha(expr) )  ( i(b)  C  i(A) ) 

•  synchronization  guards  are  unique 

Now,  we  define  a  transformation  II  from  the  set  R  of  all  p-concurrent  regular  expressions  into 
2.  The  mapping  II  inserts  the  synchronization  actions  as  described  above.  Thus,  the  alphabet  A  of 
any  expression  from  2  is  extended  with  a  number  of  symbols  from  some  alphabet  SYNC,  disjoint 
with  A. 

Let  us  explain  the  conditions  in  the  definition  of  the  class  2.  The  first  two  of  the  above  conditions 
state  that  synchronization  guards  are  not  independent  with  other  actions  in  the  same  alternative,  or 
loop.  Note  that  synchronization  guards  are  not  necessarily  dependent  with  all  other  actions.  This  is 
because  we  do  not  wish  to  limit  concurrency  by  introducing  synchronization  guards,  that  is  we 
require  that  the  set  of  histories  of  the  transformed  expressions  with  synchronizing  actions  concealed 
should  be  identical  to  the  set  of  histories  of  the  original  expression.  For  example,  if 
PCR:  a;(b,c)  Ai={a}  A2  =  {b,c) 

then  the  concurrency  in  the  expression  CR:  ( (a;  (S,A) ) )  I  I  ( (b,  (A;  c) ) ) ,  resulting  from  the 
expression 

II(PCR):  a;  (b,  (A;c))  Ai  =  {a,A}  A2={b,c,A} 

would  be  unnecessarily  limited;  for  example  the  sequence  ca  is  a  history  of  PCR  but  is  not  a  history 
of  CR. 

The  reason  the  third  condition  above  requires  synchronization  guards  to  be  unique  is  explained  by 
the  following  example: 


PCR:a,b,c  Ai  =  {a},  A2  =  {b},  A3  -  {c} 

Here,  the  expression  PCR1  with  a  non  -unique  synchronization  guard  is  not  proper 

II(PCR):  a,  (A;b) ,  (A;c)  Ai  =  {a,A}  A2=  {b.  A}  A3  -  {c.  A} 

but,  indeed,  the  expression  II(PCR)  with  unique  synchronization  guards  is  proper 

II(PCR):  a,  (Al;b) ,  (A2;c)  Ai={a,Al,A2}  A2={b,Al,A2}  A3  =  (c,A2}  ■ 


Theorem  1 

Every  synchronized  p-concurrent  regular  expression  from  the  class  I  is  proper. 

Let  XISYNC  denotes  the  concealment  of  actions  from  SYNC.  It  can  be  proved  that 
synchronization  guards  do  not  limit  potential  concurrency: 

Theorem  2 

For  every  concurrent  regular  expression  R 

VFS(R)  =  VFS(II(R))  I  SYNC  and  RFVS(R)  =  RVFS(II(R))  I  SYNC 

Therefore,  for  a  specification  S  of  a  sequential  system  in  the  form  of  a  p-concurrent  regular 
expression  (which  can  be  obtained  from  a  Banach  program),  we  can  first  apply  the  transformation  II 
to  get  a  proper  specification  II(S),  and  then  the  transformation  <?,  to  get  an  equivalent  concurrent 
specification  C(IT(S)).  For  example,  for  the  expression 
PCR:  a,b,c,  Al  =  {a}  A2  =  {b}  A3  =  {c} 

wehavell(R):  a,(Al;b),(A2;c)  Al  =  {a,Al,A2}  A2={b,Al,A2}  A3  -  {c,A2} 

and  C(II(R))  is  of  the  form:  a,Al,A2  II  8,(Al;b),A2  II  8,8,(A2;c) 
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1  Introduction 

This  paper  is  a  preliminary  version  of  the  background  material  for  the  talk  I  will  be  pre¬ 
senting  at  the  International  Conference  on  Algebraic  Methodology  and  Software  Technology, 
Iowa  City,  Iowa,  May  22-24  1989. 

For  many  years  I  have  been  working  on  algebraic/categorical  methods  for  specifying 
various  programming  language  constructs  with  particular  emphasis  on  the  specification  of 
data  types  [10, 9],  and  the  specification  of  programming  languages  as-a-whole  [5,  8,  6,  7, 11]. 
In  this  paper  I  combine  these  interests,  and  present  an  algebraic/categorical  specification 
of  a  language  for  specifying  abstract  data  types.  My  interest  goes  beyond  the  specification 
of  types  to  the  more  general  topic  of  data-directed  design.  The  key  idea  of  data-directed 
design  is  that  software  design  should  be  centered  about  the  design  of  data  types  rather  than 
about  the  design  of  procedures.  I  don’t  have  the  time,  or  space,  here  to  present  detailed 
arguments  for  data  directed  design,  but  Bertrand  Meyer  gives  a  good  presentation  of  them 
in  [2].  The  basic  argument  is  that  a  data  directed  approach  supports  such  good  things 
as  maintainability,  reusability,  and  understandability.  The  tools  from  data  directed  design 
that  are  used  to  realize  these  good  things  are  such  concepts  as  extensibility,  encapsulation 
(information  hiding),  generic  types,  and  inheritance. 

A  data  type  is  specified  in  my  language  by  giving  a  “program”  that  implements  it.  Thus 
these  specification  are  not  algebraic  specifications  as  defined  in  [10,  9].  Indeed,  they  are, 
what  might  be  called,  specifications-by-example.  However,  they  are  still  abstract  specifica¬ 
tions.  The  desired  “abstraction”  is  achieved  through  encapsulating  the  programs  so  that 
one  can  only  exploit  WHAT  the  program  does,  and  not  HOW  it  does  it.  Needless  to  say, 
“encapsulating  programs”  is  not  a  new  idea,  but  what  is  new  here  is  that  we  do  it  in  a 
rigorous  mathematical  framework  that  permits  analysis. 

The  flavor  of  the  language  is  close  to  that  of  many  “object-oriented  languages”  such 
as  SMALLTALK  or  EIFFEL.  In  particular,  we  follow  SMALLTALK  in  using  the  terms 
“class”,  “object”,  and  “method”.  Roughly  speaking,  a  class  is  a  data  type,  an  object  is  an 


instance  of  a  data  type,  and  a  method  is  an  operation  on  a  data  type.  However,  objects, 
in  contrast  to  data  types,  have  “memory”  and  this  means  that  we  are  outside  the  familiar 
domain  of  algebraic  specifications.  On  the  other  hand,  we  are  not  as  close  to  SMALLTALK 
as  our  choice  of  terminology  might  suggest. 

•  We  do  not  have  any  built  in  types,  not  even  BOOL. 

•  We  use  a  different  form  of  objects.  Most  object-oriented  languages  define  objects  as 
being  Records,  that,  as  elements  of  products.  We  define  objects  as  being  as  Variants 
over  Records,  that  is,  as  elements  of  a  sum  of  products  (or,  more  precisely,  as  a 
coproduct  of  products  in  the  category  of  sets). 

•  We  use  a  “method  calling”  paradigm  rather  than  the  message  sending  paradigm  of 
SMALLTALK.  But  a  method  still  belongs  to  a  specific  class.  We  permit  a  method 
belonging  to  a  class  k  to  access  and/or  modify  the  value  of  any  its  parameters  or 
variables  of  class  k. 

•  Associated  with  each  class  k  are  Case,  Assignment,  and  object  creating  operations 
that  can  only  be  used  within  methods  belonging  to  k. 

Some  of  these  differences  will  be  motivated  in  more  detail  as  we  go  along.  For  additional 
motivation  see  (or  await)  [11]. 

The  outline  of  the  paper  is  as  follows:  Section  2  gives  an  informal  overview  of  the 
language.  A  very  brief  introduction  into  the  algebraic  specification  of  languages  is  provided 
in  Section  3.  Section  4  gives  the  syntax  of  the  language.  Section  5  defines  the  class  of 
algebras  used  in  the  semantics  which  is  then  presented  in  Section  6.  In  Section  7  we  give 
examples  of  the  use  of  the  language  to  define  some  familar  data  types.  Section  8  takes  a 
brief  look  at  some  of  the  issues  I  hope  address  more  fully  in  my  talk. 

Some  notation:  Given  a  set  K ,  we  write  K*  for  the  set  of  strings  on  K,  and  (K  )  for 
the  set  of  strings-of-strings  on  K.  We  write  A  for  the  empty  string  in  K*,  and  (  )  for  the 
empty  string  in  ( K*)m .  Given  strings  vu  ...,vn  in  K*,  we  write  Ox)  •  •  *(rB)  to  denote  the 
string  in  ( K *)*  whose  ith  element  is  u,-.  Given  a  string  u  we  write  |u|  to  denote  the  length 

of  u. 

2  Informal  Overview  of  the  Language 

This  section  gives  an  informal  overview  of  the  language.  The  vocabulary  used  is  close 
to  that  used  by  the  SMALLTALK  community.  But  I  want  to  warn  both  programmers  and 
mathematicians  that  words  such  as  class ,  and  object  may  not  have  the  meaning  they  might 
expect. 

A  program,  consists  of  a  specification  of  a  collection  K  of  classes.  A  class  k  consists  of  a 
specification  of  the  form  of  the  objects  of  k  together  with  the  collection  of  methods  belonging 
to  k.  An  object  in  k  is  either,  nil*,  the  nil  object  of  k,  or  it  is  an  instance  of  k.  An  instance 
of  k  has  a  value  which  is  a  tuple  of  objects.  The  form  of  k  specifies  which  tuples  may  occur 


as  values  of  instances  of  objects  from  k.  A  method  belonging  to  k  is  a  specification  of  an 
operation  on  objects.  The  specification  of  a  method  <r  will  specify  the  parameters  of  a ,  the 
temporary  variables  used  in  <7,  the  expression  describing  the  steps  of  c ,  and  the  class  of 
the  result  returned  by  <7.  The  execution  of  a  method  of  class  k  will,  providing  it  terminates, 
return  a  result  and  may  change  the  value  of  some  of  its  parameters. 

For  example,  we  can  give  a  program  specifying  the  classes:  BOOL,  NAT,  INT, 
STACK-OF-INT.  The  form  an  object  of  class  STACK-OF-INT  could  specify 
that  an  instance  of  object  of  STACK-OF-INT  will  have  a  value  that  is  either  an 
empty  tuple  (  ),  or  a  pair  ( S,I )  where  S  is  an  object  of  class  STACK-OF-INT 
and  I  is  an  object  of  class  INT.  The  intuition  is  that  a  STACK-OF-INT  is  either 
empty  or  it  consists  of  a  top  element  I  and  a  “substack”,  S,  corresponding  to 
the  remainder  of  the  stack.  The  class  STACK-OF-INT  would  have  methods 
for  operations  such  as  POP,  PUSH,  and  MAKE- EMPTY-STACK.  The  method 
for  POP  would  specify  that  it  has  a  STACK-OF-INT  as  parameter,  and  that  it 
returns  an  object  of  class  INT.  This  example  is  worked  out  in  detail  in  section  7 

The  form  of  a  class  k  restricts  the  values  of  instances  to  a  given  sum  of  products  of  the 
sets  of  objects  of  specified  classes.  The  form  of  a  class  is  fixed  but  the  specific  sets  will 
change  with  time  —  in  effect,  objects  do  not  come  into  existence  until  they  are  needed. 

In  the  example  of  STACK-OF-INT  the  form  will  restrict  the  values  to  the  set 
(1  +  (Orf.dk  X  0,nt))  where  1  denotes  the  product  of  the  empty  set  of  sets  (the 
one-element  set  containing  the  empty  tuple  (  )),  03tack  is  the  set  of  objects  of 
class  STACK-OF-INT,  and  0,nt  denotes  the  set  of  objects  of  class  INT. 

The  expression  specifying  the  steps  of  a  method  <r,  belonging  to  class  k,  is  built  from 
primitive  operations  together  with  the  parameters  and  temporary  variables  of  a .  The  desired 
encapsulation  of  classes  is  achieved  by  restricting  the  writing  of  methods  so  that  knowledge 
of  the  form  of  a  class  k  can  only  be  exploited  within  methods  belonging  to  the  class  k. 
For  each  class  k,  we  use  the  form  of  k  to  define  a  set  of  basic  operations  that  can  only  be 
used  within  expressions  specifying  methods  belonging  to  k.  Briefly,  for  each  class  k  we  have 
private  operations: 

NEW(fc,  i ),  an  operation  that  creates  a  new  instance  of  an  object  of  class  k  with  value  the 
all  -nil  tuple  for  summand  i. 

CASE(e0,  ei, . . . ,  en),  a  case  statement  with  a  case  for  each  of  the  n  summands  of  k.  If  the 
expression  eo  evaluates  to  a  tuple  in  the  ith  summand  of  k  then  the  expression  e3  is 
evaluated. 

CHANGE(eo, i, ei, ...,en),  an  operation  for  changing  the  value  of  an  object  of  class  k. 
Changes  the  value  of  the  object  of  class  k  resulting  from  the  evaluation  of  the  ex¬ 
pression  eo  to  the  n-tuple  for  summand  i  resulting  from  evaluating  the  expressions 
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ACCESS(eoi  i,  j)  >  an  operation  for  accessing  components  of  objects  of  class  k.  The  opera¬ 
tion  returns  the  jth  component  of  the  ith  summand  of  the  object  of  class  k  resulting 
from  evaluating  the  expression  eg. 


Tn  addition  there  are  the  following  public  operations  that  can  be  used  in  any  method  of 
any  class. 

NILfc  a  constant,  denoting  the  nil  object  of  class  k  —  note  that  the  nil  objects  are  typed. 

INST(e<j>  eh  ),  a  conditional  operation,  evaluates  expression  eo  to  get  an  object  x  of  class 
Jfe,  then  evaluates  e\  if  x  is  an  instance  of  k,  but  evaluates  e2  if  x  is  the  nil  object  of  k. 

ASSIGN(*,eo),  eo  evaluates  to  an  object  of  class  k  which  is  assigned  to  the  ith  temporary 
variable  of  class  k. 

e\\e2,  an  operation  for  composing  the  evaluations  of  expressions. 

CALL(/»,  ei, ...» en),  an  operation  for  calling  methods  of  other  classes.  Method  p  is  called 
and  passed,  as  parameters,  the  objects  resulting  from  evaluating  the  expressions 
ex,...,en-  A  method  belonging  to  a  class  k  can  only  access,  or  change,  the  value 
of  objects  of  a  class  k'  ±  k  by  calling  methods  belonging  to  k'. 

The  syntax  given  in  section  4  ensures  that  the  applications  of  these  operations  are 
well-defined. 

To  define  the  methods  POP  and  PUSH  for  STACK-OF-INT  we  can  use  the 
NEW,  CASE  and  CHANGE  operations  corresponding  to  the  form  of  STACK-OF-INT. 

The  NEW  operation  for  STACK-OF-INT  can  be  used  to  create  either  the  empty 
STACK-OF-INT  corresponding  to  the  empty-tuple  (  ),  or  to  produce  a  pair 
(nil atack,  nilint),  the  latter  operation  is  not  of  any  interest  in  this  example.  The 
CASE  operation  for  STACK-OF-INT,  has  two  cases,  corresponding  intuitively  to 
empty-stack  and  non-empty  stack.  The  CHANGE  operation  for  STACK-OF-INT, 
allows  us  to  change  the  value  a  STACK-OF-INT  object  as  required  by  the  POP 
and  PUSH  methods. 

3  Algebraic  Specifications  of  Languages 

As  mentioned  in  the  introduction,  I  have  been  working  on  algebraic/categorical  methods 
for  specifying  the  design  of  imperative  programming  languages.  The  idea  is  to  provide  a 
framework  for  language  design  that  is  simultaneously  operational,  abstract,  and  prescrip¬ 
tive.  By  operational  I  mean  that  I  can  talk  about  executions  of  programs,  and  about 
operations  such  as  declaring  variables,  creating  pointers,  assigning  values,  etc.  By  ab¬ 
stract”  I  mean  that  I  can  describe  “what”  happens  without  saying  just  “how”  it  is  done  - 


for  example,  I  can  talk  about  “declaring  variables”  or  “creating  pointers”  without  giving 
an  overly  specific  implementation  of  this  within  some  “machine”.  By  “prescriptive”  I  mean 
that  the  framework  naturally  promotes  good  design  and  understanding  of  good  design. 

Some  underlying  ideas  of  this  approach  are 

•  to  model  the  execution  of  a  program  in  terms  of  state  transitions  where  the  states 
are  algebras  and  represent  not  just  “the  memory”  but  also  include  “the  currently 
declared”  types,  variables,  pointers,  constants,  etc. 

•  that  the  basic  operations  on  states  should  be  natural  categorical  operations  on  the  al¬ 
gebras  and/or  their  signatures.  For  example,  as  shown  in  [6],  declarations  of  variables, 
pointers,  and  data  types,  can  all  be  described  in  terms  of  pushouts  in  an  appropriate 
category  of  algebras. 

•  that  records  and  variants  are  key  concepts,  that  they  correspond  to  products  and 
coproducts  and  that  their  associated  morphisms  (projections,  injections,  and  medi¬ 
ators)  correspond  to  important  programming  concepts.  For  example,  the  mediating 
morphism  for  a  coproduct  representing  a  variant  correspond  to  the  case  statements 
(or  case  expressions)  used  for  type-safe  access  to  the  variant. 

We  use  this  approach  in  this  paper,  but,  by  and  large,  we  avoid  explicit  mention  of  the 
categorical  constructions,  and  present  the  semantic  constructions  without  discussing  the 
mathematical  motivations  behind  them.  However,  examination  will  reveal  that  the  defini¬ 
tions  INST,  NEW,  CASE,  CHANGE  and  ACCESS  operations  exploit  the  available  categorical 
structure,  sometimes  at  several  levels. 

Section4  gives  the  syntax  of  the  language.  The  syntax,  as  given,  is  not  very  user  friendly, 
so  we  follow  it  by  some  informal  sugaring  which  we  employ  in  the  examples  in  Section  7.  In 
Section  5  we  describe  the  algebras  that  axe  used  to  describe  the  states.  Finally,  in  Section  6 
we  describe  the  operations  on  the  state-algebras  that  give  the  semantics  of  the  language. 


4  Abstract  Syntax 

A  specification  of  classes  consists  of  the  following  data: 

fif,  a  set  (of  class  names). 

S,  a  set  (of  method  names). 

a  :  S  K  X  K*  X  K.  If  cr  G  S,  and  a(a)  =  (k,u,t)  then  <r  belongs  to  the  class  k,  has  |u| 

arguments  where  the  ith  argument  is  of  class  and  a  returns  a  value  of  class  t. 

t  :  IC  -+  (K*)*.  If  t(k)  =  Vf-vn  6  ( K *)*  with  v{  =  t?i,i  *  •  •  G  K *,  then  the  class 

k  is  of  form  i(Ar),  has  n  summands  the  jth  of  which,  for  j  G  {1,  having  nj 

components  the  ith  of  which,  for  i  G  {1,  • . nj},  being  of  class  Vjj. 


r  :  S  -*  K\li  r(<r)  =  w,  then  the  method  a  has  |w|  temporaries  (local  variables ),  the  ith 
of  which  is  of  class  u\-. 

£  :  S  -+Expr.  Where  £(<r)  is  body-expression  of  the  method  cr.  We  call  Expr  the  set 
of  expressions.  If  a(cr)  =  (h,u,k)  then  f(cr)  g  Exprk,<r,  the  set  of  k-cr- expressions, 
defined  as  follows: 


MIL*  is  a  fc-(7-expression. 

P^  ,-  is  a  k-cr-expression  if  a(cr)  =  ( h,w,t )  and  i  €  {1, . .  .,  |u>|}  such  that  w,  —  k. 

T„ti  is  a  fc-<r-expression  if  i  G  {1, . . |t(<t)|}  such  that  r(cr)t-  =  k. 

*1  je2  is  3-  A-c-expression  if  ei  is  a  j -^-expression  for  some  j  G  K,  and  «2  is  a  Aj-cr-expression. 

INST(e0>ei>€2)  is  a  fc-<r-expression  if  e0  is  a  j'-a-expression  for  some  j  €  K,  and  if  ex  and 
e3  axe  fc-<r-expressions. 

ASSIGN(i,  ei)  is  a  ^-expression  if  i  G  {1, . .  • ,  |r(<r)|},  r(<r),-  =  k,  and  ex  is  a  ^-expression. 

CALL(p,  ei, . . . ,  ep)  is  a  Jfc-<r-expression  if  p  G  E,  and  there  exist  h  and  u  such  that  a(p)  = 
(h,u,k),  and,  where  u  ~  ux  •  •  •  up,  we  have  that  e,  is  a  u,--<7-expression  for  each 
*G{1,...,P}. 

NEW(fc,  i)  is  a  &-<r-expression  if  i  G  {1, .  -  . ,  K^)|}»  and  a  belongs  to  k. 

CASE(e0,ei, . .  ,,en)  is  a  fc-<r-ex pression  if,  where  a(<r)  =  (j,u,h),  there  exists  j  G  K  such 
that  eo  is  a  j-a-expression,  n  =|t(j)|,  and,  for  each  *  =  1, . .  .n,  e,-  is  a  Ar-cr-expression. 
Note  that,  here,  a  belongs  to  j  but  returns  a  k  object. 

CHANGE(e0, i, ex,..., ep)  is  a  k-cr-ex pression  if  e0  is  a  fc-tr-expression,  there  exist  u  and  h 
such  that  a(a)  =  (k,u,k),  so  cr  belongs  to  k,  and,  where  i(k)  =  vx  •  •  -vn  G  ( K *)*» 
have  i  G  {l,...,n},  p  =|v,j,  and,  =  viA  •  •  •  vi>p  where,  for  each  j  G  {1, . . . ,jp},  ej  is 
a  Ujj-cr-expression. 

ACCESS(e0,  t,  j)  is  a  fc-a-expression  if  e0  is  a  &-<r-expression,  there  exist  u  and  h  such  that 
ot (<r)  =  ( h,u,k ),  and,  where  i(k )  =  vx  ••• vn  G  (IC*)*,  we  have  i  G  {l,...,n},  and, 
where  v;  =  VijX  •  •  ’V,jP,  that  j  G  {1,  —  ,p}  and  Vj  =  k. 

The  above  formal  syntax  is  too  formal  for  convenient  use,  and  it  is  advantageous  to  use 
more  suggestive,  and  compact,  notation. 


Pi 

for 

P vj  (that  is,  for  example,  P4  for  P^) 

Ti 

for 

?<x,i 

Ti:=  ex 

for 

ASSIGN(i,  ex) 

p(ei, • • • , eP) 

for 

CALL(p,  ex, . . . ,  ep  j 

eo*i<—  (ex,...,ep) 

for 

CHANGE(eo,  (ci, . .  ♦ ,  cp)) 

e0.i.j 

for 

ACCESS(eo,  i,j). 

ISO 


It  will  frequently  be  the  case  that  we  want  to  do  a  PCHANGE  operation  such  as 
Pm.i«-  (  Pm.i.l,. .  .,Pm.i.(j-l),  ej,  Pm.i.(j+1),. .  .,Pm.i.p  ) 
where  “only  the  jth  component  of  Pm.i  is  changed”,  we  will  write  this  as 

Pm.i.j  *-  ej. 

While  this  is  convenient  notation,  it  is  possible  to  misuse  it  and  write  something  meaningless. 
The  formal  syntax  is  the  real  syntax. 

Not  surprisingly,  it  will  also  be  convenient  to  present  the  data  for  a  class-collection  in 
a  more  informal  manner.  We  will  not  attempt  to  explain  these  informalities  but  leave  the 
reader  to  deduce  them  from  the  examples. 

5  State  Algebras 

Given  a  specification  T  =  (h f,£,a,t,r,£)  we  want  to  define  the  set  of  many-sorted 
algebras  corresponding  to  the  possible  states  resulting  from  executing  the  methods  given 
for  the  classes. 

We  start  by  defining  the  collection  of  T-signatures  corresponding  to  the  data  T.  A  T- 
signature  (5,  A)  will  contain  a  designated  sort  1,  and,  if  k  £  K,  with  i(k)  =  vx  •  •  •  vn  £  (A*)* 
and  Vi  =  k{,i  •  •  ’&«><  €  K*  then  k  will  contribute  n  +  4  elements  to  the  sort  set  S,  namely 
Vkti, . . . ,  VJt,n,  Sk, h,  Ok ,  and  Tk.  Think  of  14,, •  as  the  ith  sort  of  instance  variables  for  k,  Sk 
as  the  sort  of  summands  for  k,  Ik  as  the  sort  of  instances  of  k,  Ok  as  the  sort  of  objects  of  k, 
and  Tk  as  the  sort  of  temporary  variables  of  k.  These  sorts  come  equipped  with  operations: 

nilk  :  1  — ►  Ojfe  TkiTk-*Ok  *i k'h-+Ok 

Pk  •  II  — *  t fc,»  •  Vk,i  Ski  *  =  1,  •  •  •  j  W 

k,i,j  •  Vk,i  —*  Okij,i  €  {1, . . ., n},  j  G  {1, •  •  •»?<}• 

In  addition,  It  may  contain  a  finite  set  of  constants  of  sorts  Ok  and  Tk  for  each  k  £  K . 
We  can  represent  this  signature  pictorially  as  shown  in  Figure  1.  See  Section  7  for 
pictures  of  some  actual  signatures. 

A  r -state-algebra  (or  T-algebra),  A,  will  be  a  (S,  Q)-algebra,  for  some  T-signature  (5,  A), 
where  Ai  is  a  designated  singleton  set  also  denoted  1,  and  for  each  k  £  K,  a.s  above, 

A oh  -  A/fc  +  Ai,  a  coproduct  of  these  sets  in  Set,  the  category  of  sets  and 
total  functions,  with  coproduct  injections  (kjOa  and  (tu’4)a- 

For  each  i  £  {l,...,n},  Avfc]i  =  Aofcj  x  •••  x  A ofc  ,  a  product  of  these 

sets  in  Set,  with  product  projections  a  through  If,  where 

t{k)  =  (u1)...(uj) •••(«„)  we  have  t?,-  =  A,  the  empty  string,  then  we  take 
Ayfci  =  1. 


Figure  1:  The  k-component  of  a  T-signature 

As*  -  Ayfcl  +  •  •  •  +  Ay*„,  a  coproduct  of  these 

sets  in  Set,  with  coproduct  injections  (**,i)a  through  (tk,n) a* 

A Th  wiU  he  exactly  the  set  of  constants  of  sort  T*. 

We  do  not  put  any  restrictions  on  A/*,  or  (fik)A,  other  than  that  the  functions 

be  functions. 

Let  A  be  a  state  algebra,  then  the  ideas  behind  the  above  definition  of  state-algebra  are 
as  follows: 

•  An  object  of  class  k  in  A,  that  is,  an  element  of  A o*,  is  either  the  nil-object  given 
by  nilk  or  it  is  an  instance  of  k,  that  is,  an  element  of  A/*.  This  is  just  what  the 
coproduct  says. 

•  Each  instance  of  an  object  of  class  k  has  a  value.  In  particular,  if  x  G  A /*  then  its 
value  is  (h)a(x)  €  A 5*  =  Ay* 4  +  •  ■  •  +  Ay*  „,  which  is  a  sum  of  products  of  objects. 

•  Each  element  y  of  Aj*  corresponds  to  a  temporary  variable  with  value  (r)A(y),  an 
object  of  class  k. 

6  Abstract  Operational  Semantics 

Given  the  class  specification  T  =  { K ,  E,  a,i,r,£),  and  given  a  €  S  with  a(cr)  =  (j,  u,  h) 
then  a  c-state  algebra  (over  Y)  is  a  T-state  algebra  A  whose  signature  (S,Yl)  contains  at 


least  the  constant  symbols  P<7-,i,...,P<r,|u|5  corresponding  to  the  parameters  of  a ,  together 
with  the  constant  symbols  T<r,i,...,T<ri|T(<r)|,  corresponding  to  the  local  variables  for  a.  In 
practice  we  are  only  interested  in  <x-state  algebras  with  finite  carriers,  and  generated  by 
repeated  “applications  of  body-expressions”.  From  this  we  can,  but  won’t,  show  that  that 
the  state  algebras  of  interest  form  a  set,  Alg„,  rather  than  a  proper  class. 

When  a  fc-cr-expression  e  is  applied  to  a  <7-state- algebra  A,  the  result,  if  any,  will  be  a 
pair  [e]ff(A)  =  (B,b)  where  B  is  a  cr-state- algebra  B  and  6  is  an  element  of  Bok-  Let  RESa 
denote  the  set  of  all  pairs  (A,  a)  such  that  A  €  Alg^  and  a  €  Aok-  Then  we  can  regard  [ej, 
as  a  partial  function, 

[e]*  :  Alg„  -*•  RES*. 

Let  A  S  A/p^-algebra  with  signature  (5,  Cl),  then  I e]<r(A)  is  defined  by  the  appropriate 
entry  from  the  following  list. 

NIL*  :  Define  [NILfc],(A)  =  {A,(nilk)A). 

P <r,i  ■  Define  [P *,<]*(  A)  =  (A,  (P^,,)>i>. 


T*,»  i  Define  [T,t,],(A)  =  (A,(T^-)^). 


ei;e2  :  Define  =  [c2]<r((Ici]<r(A))i). 


INST(eo,ei,e2) :  If  eo  is  a  ^-expression  and  [eo]<r(A)  =  (C,c),  then  define 


[INST(eo,ei,ea)l<r(^) 


f  [«i]<r(^)  if  c  #  nilx 
if  C  “  Tlilg* 


ASSIGN(i,  fix)  :  If  [ei]<r(A)  =  { B,b )  then  [ASSIGN(i,ei)]ff(A)  =  (C,b)  where  C  is  identical 
to  B  with  the  exception  that  (rfc)c((T<r,«)c)  =  b. 

CALL(p,  ev) :  Let  (Bx ,  &i)  =  [ex]  C(A),  and,  for  *  =  2, ... ,  p,  let  { B &,)  =  [e.-J^B,-- 1 ). 

Then,  where  a(p)  =  { h,w,k )  and  r(p)  =  u  extend  the  signature  (S,  fl)  by  adding 
constant  symbols  ,  |w|  and  ,  |u|,  and  let  B  be  the  extension 

of  Bp  such  that  ( Pp,C)b  =  for  each  i  =  1, . . .,  H,  and,  (ruy)s(Tp,j)  =  nilUj,  for  each 
j  —  1, . . .,  |it|.  Then,  where  f(p)  =  e,  (C,c)  =  [e]|p(B),  and  D  is  the  (5,fl)-reduct  of 
C,  define  [CALL(p,ei, . .  .,ep)\a(A)  =  { D,c ). 


NEW(A;,t)  :  Let  B  be  the  <7-state-algebra  that  results  from  freely  adjoining  an  element 
x  to  Aik  and,  where  i(k)  =  v\---vn  and  Vi  =  Vi,i"'Vi,p  6  K* ,  taking  (pfc)s  to 
be  the  extension  of  (pk)A  taking  x  to  b  =  >  •  ■  •  >  Then  define 

[NEW(M)UA)  =  (B,b). 


CASE(eo^i, •  •  Meg)  :  If  eo  is  a  z-er-expression,  where  a(z)  —  wx  —  -wq,  and  [e0|<7(A)  = 
( C,c ),  then  define 


[CASE(eo,  ej , . . . ,  eg)J^(A) 


{ C ,  ( nilz)c )  if  c  =  ( nilz)c 
<  biUC)  if  there  exist  x  and  y  such  that 
c  =  (/c2)c(x)  and  (pz)c(x)  = 
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CHANGE(e0,*\ei,...,eP)  :  Let  (B0,b0)  =  [e0 ,]»(A),  and,  for  i  =  l,...,plet  (Bi,bi)  - 
Then  [CHANGE(e0,  *,  ei, . . . ,  eP)]U(A)  =  (C,b0)  where  C  is  identical  to 
Bp  except  that  if  &o  is  ^  instance  of  k,  so  bo  =  («fc)sp(®)  f°r  some  x  €  ( Bp)ik ,  then 

ACCESS(e0,i,  j)  :  Let  [eo]<r(A)  =  {B,b),  if  there  exists  x  €  A/k  such  that  b  =  («fc)>i(x)  and 
(M*U(*)  =  (i,)A«ax,...,ap)),  then  [PACCESS(e0, i,  j^M)  =  (A,aj),  otherwise 

[PACCESS(e0,  i,j)Ja(A)  =  ( A,nilk ). 

The  above  presentation  of  the  semantics  is  a  mite  informal  in  that  it  assumes  that, 
for  each  Jb-<r-expression  e  and  T-algebra  A,  A  C  ([e](A))i  in  some  sense  that  makes  it 
meaningful  to  talk  of  an  object  in  x  €  Ao„  as  also  being  an  object  in  (([e](A))x)o„.  A  more 
precise  treatment  woxdd  require  introducing  generalized  injective  homomorphisms. 

7  Examples  of  Class  Specifications 

In  this  section  we  give  a  number  of  examples  of  class  specifications  using  the  sugared 
version  of  the  syntax.  Each  specification  builds  on  the  ones  given  before.  The  specifications 
are  fairly  straight  forward,  but  generally  represent  very  inefficient  implementations.  For 
example,  in  the  specification  of  BOOL  the  reader  will  see  that  each  application  of  the 
“constant  operation”  true  generates  a  new  object. 

Example  1  Here  is  a  specification  for  the  class  BOOL.  The  only  surprise  here  may  be  the 
operation  null.  This  operation  is  needed  because  the  CASE  operation,  which  distinguishes 
true  from  false,  can  not  used  outside  of  the  BOOL  class.  The  operation  null  can  be  used 
together  with  the  primitive  operation  INST  to  give  us  a  general  BOOLean  conditional  usable 
in  methods  of  any  class.  The  signature  diagram  for  BOOL  is  shown  in  Figure  2. 

CLASS  BOOL 
form 

c(BOOL)  =  (A)(A) 

methods 

true(  ):BOOL 

NEW  (BOOL,  1). 

false  (  ):BOOL 

NEW  (BOOL,  2). 

and(Pl,  ?2:BOOL):BOOL 

CASE(Pf,  CASE (P 2,  true,  false),  false). 


not(  ?1:B00L):B00L 
CASE  (PI,  false,  true). 


null(  ?1:B00L):B00L 

CASEf  PI,  true,  MIL  bool)- 
end  -  class  BOOL 

Example  2  Here  is  a  specification  for  the  class  NAT  of  natural  numbers.  This  is  an 
example  of  a  “recursive  class”  in  the  sense  that  NAT  appears  in  the  specification  of  the 
form  of  NAT.  In  general,  a  state  algebra  for  NAT  will  contain  only  a  subset  of  the  natural 
numbers.  As  examination  of  the  methods  will  show,  uNATs  are  only  produced  as  needed”. 

CLASS  NAT 
form 

i(NAT)=  (X )(NAT) 

methods 

zero(  ):NAT 

NEW  (NAT,  1). 

succ(  PI  :NA  T )  :NA  T 

(t(succ)  =  T  1:NAT) 

T1:=UEW(NAT,  2)'^  1.2*-  (PI). 

pred(  P1:NAT):NAT 

CASEf  PI,  NILjnmt,  P  1-1.1  ). 
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add(Pl,  P2:NAT):NAT 

CkSE(P2,  PI,  add(  succ(Pl),  pred(P2))). 

subt(  PI,  P2:NAT):NAT 

CASEf  P 2,  Pi,  minus (  pred(?l),  pred(P2))). 

eq(  Pi,  P2:NAT):NAT 

CASEfPi,  CASEf  P5,  true,  false),  CASEf  P2,  /a/se,  eg(  predf  Pi),  pred(  P 2)  )  ). 
le(Pl,P2:NAT):NAT 

CASEf  Pi,  CASEf  P 2,  true,  false),  le(  pred(  PI),  pred(  P 2)  )  ). 
end  -  class  NAT 

Example  3  As  our  next  example  we  give  a  specification  for  the  class  INT  of  integers.  This 
specification  provides  an  a  nice  example  of  encapsulation.  From  looking  at  the  names  of 
the  methods  one  would  expect  that  an  integer  z  is  being  represented  as  a  pair  consisting  of 
a  BOOLean,  representing  the  sign  of  z,  and  a  NATural  number,  representing  the  absolute 
value  of  s.  But  the  specification,  actually,  represents  an  integer  z  by  a  pair,  (n,p),  of  natural 
numbers  such  that  if  n  >  p  then  z  —  m  —  p,  while  if  n  <  p  then  z  —  —  \p  —  n\. 


CLASS  INT 
form 

i(INT)  -  (NAT- NAT) 

methods 

one(  ):INT 

(r(one)  =  71:INT) 

T:=  HEM  (INT,  l)]7.1.1.*-succ(zero)]7.1.2*-zero. 
abs(Pl:INT  ):NAT 

THS7(  null(le(P  1.1.1,  PI. 1.2)),  subt(P1.1.2,  PI. 1.1),  subt(Pl.l.l,  P  1.1.2)  ). 

sign(  Pl:INT):BOOL 

INSTf  null(le(P  1.1.1,  PI. 1.2)),  false,  true). 

sum(Pl,  P2-.INT  ):INT 
(r(sum)  =  T  1:INT) 

71  :=NEW (INT,  l)\71.1.1^add(  Pl.1.1,  P2.1.1)]71.1.2*-add(  Pl.1.2,  ? 2.1.2)  )\71 

neg(  P1:INT):INT 

(r(neg)  =  71:INT) 

71  :=  HEM  (INT,  l)]71.1.1*-P1.1.2]71.1.2*-Pl.l.r,71. 
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D 


2 
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Figure  3:  The  Signature  for  STACK(D) 


eqint(?l,  P2:INT):BOOL 

eq(  add(P  1.1.1,  tP2.1.2),  add(P  1.1.2,  P 2.1.2)). 
end  -  class  INT 

Example  4  Here  is  the  “classic  example”  of  a  data  type  specification,  STACK(D),  here 
presented  as  a  generic  class,  that  is,  D  is  a.  formal  parameter  that  may  be  “passed”  any  actual 
parameter  such  as  BOOL,  NAT,  or  INT.  In  this  paper  we  will  not  go  into  the  mathematics 
of  “how  parameters  are  passed”  -  essentially  we  use  the  familiar  pushout  construction 
from  the  theory  of  data  types.  Informally,  all  we  have  to  do  is  “rewrite”  the  specification 
with  D  replaced  by  the  name  of  the  desired  actual  parameter.  The  signature  diagram  for 
STACK(D))  is  shown  in  Figure  3. 

CLASS  STACK(D)  =  STACK-OF-D 

form 

i  (STACK  (D))  =  (\)(STACK(D)-D) 

methods 

pop(?l .-STACK (D)  ):D 
(t  (pop)  =  T  1:D) 

CASEfPi,  T1:=NILd,  (11:=?1.2.2\CkSE(P  1.2.1, 

Pl.l*-  ( ), 

P  1.2+-  ((P1.2.1).2.1,  (P1.2.1).2.2);; 

11. 


push(  P1:STACK(D),  P 2:D  ):D 


(r(pttsh)  =  7  1:STACK(D)) 

Tl:=mi(STACK(D),  2)\ 

CASE  (PI, 

T LI*- (), 

71.2  <-  <P  1.2.1,  P  1.2.2))] 

P1.2<—  (71,  P 2)\ 

P  2. 

make(  ):STACK(D) 

(r(make)  =  7 1:STACK(D)) 

71:=SEV(STACK(D),  1). 

empty?  (  ?1:STACK(D)):B00L 
CASEf  PI,  true,  false). 
end  -  class  STACK(D) 

Example  5  Our  next  specification  is  for  D  0 UBLE- LINKS- OF-D,  or  2LINK(D)  —  the 
“links”  used  to  make  types  such  as  doubly-linked  lists,  and  used  below  to  specify  FINITE- 
SETS-OF-D.  One  can  think  of  an  instance  *  of  a  2LINK(D)  object  as  having  a  value  which 
is  a  triple  (l ft,  rgt ,  val )  where  l ft  and  rgt  are  2LINK(D)  objects  and  val  is  an  object  of 
class  D.  Informally,  we  think  oil  ft  as  being  to  the  left  of  x,  and  rgt  as  being  to  the  right  of 
x.  These  leads  naturally  to  the  the  idea  of  a  doubly-linked-list  —  a  chain  of  2LINK(D)s  with 
njTs  at  the  two  ends,  but  2LINK(D)  can  also  be  used  to  construct  many  other  structures. 

This  class  is  again  an  example  of  a  class  that  is  both  recursive  and  generic.  In  contrast  to 
our  other  examples,  this  class  is  quite  ill-behaved  in  that  we  can  have  complex  structures  of 
links  with  very  complex  aliasing.  This  complexity  is  largely  hidden  in  this  specification  in  as 
much  as  the  choice  of  names  for  the  methods  only  suggest  the  doubly-linked  list  application. 

CLASS  2LINK(D)  =  DOUBLE-LINKS-OF-D 
form 

t(2LINK(D))  =  (2LINK(D)-2LINK(D)-D) 

methods 

left(  P  1:2L1NK(D)  ):2LINK(D) 

INST(P  1.1.1,  PI. 1.1,  PI  ). 

right(  P1:2LINK(D)  ):2LINK(D) 

INST(P  1.1.2,  PI. 1.2,  PI  ). 

addleft(  P1:2LINK(D),  P 2:D  ):2LINK(D) 

(r(addleft)  =  7 1:LINK(D)) 

T 1  :=NEW  ( 2  LINK  (D),  1)\ 

INSTEP  1, 
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INSTfP  1.1.1, 

71.1*—  {P1.1.1,P1,P2)](P1.1.1).1.2*-71]P1.1.1*-71, 

T  1.1*-  (NIL2£jjvjr(£>),Pl,P2);Pf../.l<— Tf  )‘, 

T  1.1*-  {SIl2LINK{D)^1^2LINK(D)^})- 

addright(  P1:2LINK(D),  P2:D  ):2LINK(D) 
left  to  the  reader 

write(Pl:2LINK(D),  ?2:D):D 
P1.1.3*-P2. 

leftend?(Pl:2LINK(D)  ):BOOL 

INSTfP  1,  MIL  bool,  INSTEP  1.1.1,  false,  true  )  ). 

rightend?(Pl:2LINK(D)  ):BOOL 
left  to  the  reader 

drop(  P  1:2LINK(D)  ):2LINK(D) 

INSTf  null(leftend?(Pl  )), 

INSTf  null(rightend?(Pl)),  NIL ilink(D)>  (™ght(Pl)).1.2*-TiIL2LlNK(D))> 
1HST(  nullfrightend? (  PI)), 

(left(Pl)).l .  2*-HIL2link(D)> 

(right  (P  l)).l  .1*- left  (PI)  J  (left( P  1)).1.2*-  right  (PI)  ). 

Finally,  assuming  D  has  an  “equality  method”,  eqD(  PI.  P2:D  ):BOOL ,  then 

isin?(Pl:D,  P2:2LINK(D)  ):BOOL 
(r(isin?)  =  71:BOOL) 

INST  (P  2, 

US7(  null(eqD(  P2.1.3,  PI),  true,  isin?(?l,  P 2.1.2)  ), 
false). 

end  -  class  2LINK(D) 

Example  6  As  our  final  example  we  give  a  specification  for  the  generic  class  FINITE- 
SETS-OF-D.  The  specification  makes  use  of  the  class  2LINK(D)  but  the  2L1NK(D) s  gener¬ 
ated  by  the  methods  in  SET(D)  are  encapsulated  in  the  sense  that  there  is  no  way  “to  get 
at  them”  except  through  the  methods  of  SET(D).  Note  that  this  generic  specification  makes 
use  of  the  isin?  method  of  2LINK(D)  and  thus  requires  that  D  has  an  “equality  method” 
eqD.  The  idea  behind  this  specification  is  that  we  can  represent  a  set  a  as  a  “string”  of 
its  elements,  and  that  we  can  represent  the  string  as  a  chain  of  2LINK(D).  In  the  actual 
specification  the  form  of  SET-OF-D  is  given  as  a  triple,  (L\,  Z2>  L3)  of  2LINK(D)  objects. 
Inspection  of  the  methods  should  show  that,  in  a  string  s  representing  a  set  S,  L\  marks 


the  beginning  of  s ,  £3  marks  the  end  of  s,  and  £2  is  used,  when  necessary,  to  traverse  s, 
but  is  always  returned  to  the  beginning  of  s  at  the  end  of  a  method. 

CLASS  SET(D)  =  FINITE-SETS-OF-D 
form 

i(SET(D))  =  (  2LINK(D)-2LINK(D)-2LINK(D)  ) 

methods 

make(  ):SET(D) 

(r(make)  =  T  1:SET(D)) 

T1:=SSM(SET)D),  1). 

elemof?(Pl:D,  P 2:SET(D)  ):BOOL 
(r(elemof?)  =  Tl:BOOL) 

Tl:ss  isinf(Pl,  P2.1.2)\P2.1.2*-P2.1.1\T1. 


addelem(  P1:D,  P2:SET(D)  ):SET(D) 

INSTf  nuU(elemof?(Pl,  P 2)), 

P2 

P2<-  (  P 2.1.1,  P2.1.2,  (addright(? 2.1.3,  Pl)\nght(P2.1.S))  )  ). 


delelem(Pl:D,  ?2:SET(D)  ):SET(D) 

(r(delelem)  =  T1:2LINK(D)) 

INSTf  null(isin?(Pl,  P 2.1.2)), 

Tl:=dTop(Pl,  P2.1.2)\T&S1(  null(leftend?(P2.1.2)), 
P 2<-  (T1,T1,T1), 

P.1.2+-P1.1  ), 

P2.1.2+-P2.1.1  ). 
end  -  class  SET(D) 


8  Looking  Forward 

This  paper  has  concentrated  on  giving  a  description  of  a  particular  language  for  data 
driven  design  and  on  showing  some  simple  examples  of  what  can  be  done  with  it.  But  the 
real  reason  for  developing  the  language  was,  and  is,  to  use  it  as  a  well  defined  framework 
in  which  to  investigate  various  aspects  of  data  driven  design.  I  am  not  ready,  at  present, 
to  make  any  major  pronouncements  on  data  driven  design,  but  the  following  remarks,  and 
questions,  may  be  of  interest. 

While  you  may  not  be  completely  happy  with  the  way  I  have  worked  out  the  examples 
in  Section  7  you  will  probably  agree  that  most,  if  not  all,  of  them  are  correct.  But  what  does 
this  mean?  Intuitively,  it  means  that  the  defined  classes  have  the  external  behavior  that  we 
expect.  What  is  “external  behavior”?  I  think  that,  loosely  speaking,  external  behavior  is 
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what  we  can  observe  by  doing  experiments  consisting  applying  expressions  built  up  using 
the  “public”  operations  INST,  NIL,  ASSIGN,  CALL  and  This  is  trickier  than  it  might  sound 
since  essentially  all  we  can  observe  as  the  result  of  an  experiment  is  whether  or  not  the 
result  is  a  nil  object.  The  idea  is  that  the  “experiments”  should  provide  a  way  to  identify 
appropriate  states  and/or  objects  so  that  the  resulting  congruence  classes  correspond  to  the 
elements  of  the  desired  abstract  type.  It  seems  fairly  easy  to  make  this  precise  in  a  manner 
that  will  work  for  at  least  BOOL,  NAT,  STACK-OF-D,  and  FINITE-SET-OF-D.  However, 
we  can  take  the  specification  given  for  FINITE-SET-OF-D,  rename  it  NON-REPEATING- 
STRING- OF-D,  and  informally  interpret  the  objects  as  strings  of  elements  of  D  in  which  no 
element  is  repeated.  This  is  fine  intuitively,  but  the  above  notion  of  external  behavior  is  too 
strong  as  it  identifies  strings  that  are  not  the  same  under  this  new  interpretation.  However, 
interpretation  not  withstanding,  any  application  of  NON-REPEA  TIN  G-STRING-  OF-D  we 
can  replace  it  by  FINITE-SET-OF-D  and  never  know  the  difference.  Still,  it  would  appear 
that  the  meaning  of  a  class  involves  intention  as  well  as  extension.  At  the  very  least  it 
means  that  we  can  not  necessarily  grasp  the  intention  behind  a  class  specification  just  from 
the  formal  specification. 

An  aspect  of  object-oriented  programming  that  receives  a  great  deal  of  attention  is  the 
notion  of  “inheritance”.  This  is  a  “concept”  with  many  definitions,  some  of  which  seem  to 
be  incompatible.  The  version  I  want  to  address  is  roughly  the  intersection  of  the  versions 
found  in  [3]  and  [2],  to  quote  from  [3]: 

“Inheritance  is  a  technique  that  allows  new  classes  to  be  built  on  top  of  older,  less 
specialized  classes  rather  than  written  from  scratch.  The  new  class  is  the  sub- 
class’,  the  old  one  is  the  superclass.  The  subclass  inherits  the  instance  variables 
and  methods  of  the  superclass.  The  subclass  can  add  new  instance  variables 
and  methods  of  its  own.” 

To  put  this  into  the  framework  of  our  language  we  need  only  replace  the  first  occurrence 
of  the  phase  “instance  variables”  by  the  phrase  “form  i” ,  and  replace  the  phase  “add  new 
instance  variables”  by  a  phrase  describing  some  suitable  notion  of  extending  the  form.  The 
question  of  what  is  suitable  notion  can  wait  until  another  day,  what  is  important  is  that  this 
is  an  implementation  concept  in  the  sense  that  the  new  class,  k' ,  is  defined  starting  from 
the  specification  (a(fc),t(fc),f(&))  of  the  old  class  k,  rather  being  defined  from  the  external 
behavior  of  k. 

The  fact  that  “inheritance”  works  at  the  implementation  level  results  in  some  confusions 
at  the  interpretation  level.  We  can  easily  take  the  class  FINITE-SET-OF-D  and  add  a 
method  for  a  pick  operation  which,  when  applied  to  a  “set”  s,  returns  “the  oldest  element 
of  s”  —  we  just  return  the  right-most  element  of  D  in  the  “string”  representing  s.  I  claim  that 
the  resulting  class  is  constructed  in  accordance  with  the  directions  given  in  the  above  quote, 
and  is  thus  technically  a  “subclass”  of  FINITE-SET-OF-D.  Now  it  seems  wrong,  from  a 
mathematical  point  of  view,  to  say  that  the  result  is  a  specialization  of  the  mathematical 
concept  of  finite  sets  of  elements  of  D.  However,  there  is  no  problem  with  viewing  the 
resulting  class  is  a  specialization,  or  extension,  of  the  class  NON-REPEATING-STRING- 
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OF-D.  This  suggests  that  there  are  important  semantic  elements  in  inheritance  that  need 
further  investigation. 

It  is  worthwhile  considering  if  there  are  other  ways  to  “reuse  code”,  that  do  not  lead 
to  such  semantic  problems.  Certainly  we  can  extend  a  class  by  adding  methods  that  are 
defined  in  terms  of  existing  methods  by  means  analogous  to  the  construction  of  derived 
operators  in  universal  algebra.  But  can  we  do  better  than  this?  I  think  we  can. 

In  Section  7,  our  examples  are  developed  sequentially.  That  is,  there  are  no  mutually 
recursive  specifications.  However,  it  is  certainly  possible  to  write  such  specifications  in  our 
language.  For  example  the  definition  of  the  class  STACK-OF-D  could  be  broken  into  two 
separate  class  definitions  S  —  STACK  and  N  —  NON-  EMP  TY-S  TA  CK  where ,  i  (5)  —  (  ){N) 
and  l(N)  =  (5  •  D ).  Are  such  specifications  needed  or  useful? 

I’ll  present  some  answers,  and  more  questions,  in  my  talk. 
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1  Introduction 

Software  Engineering  aims  to  improve  our  ability  to  develop  and  maintain  provably  correct, 
adaptable,  and  efficient  software.  Initial  attempts  to  provide  this  improvement  were  based 
on  the  software  development  process  known  as  the  software  life-cycle. 

Indeed,  software  engineering  has  matured  to  the  point  where  some  of  its  fundamental 
premises  should  be  re-examined.  In  particular,  the  traditional  view  of  the  “software  life- 
cycle”  has  been  recognised  as  inadequate  when  considered  with  automated  environments 
based  on  “rapid  prototyping”  or  “knowledged-based  development”  or  the  transformation 
paradigm  [ Wil86a,ICS87,Hen89,Rat88b,Rat88c,Rat89b] . 

Further,  in  any  traditional  engineering  discipline,  re-usability  (of  components,  designs, 
manufacturing  processes,  . . . )  is  of  fundamental  importance.  In  software  engineering,  we 
are  just  beginning  to  understand  this  idea,  but  before  we  can  incorporate  it  into  our  soft¬ 
ware  practices  we  must  understand  the  process  of  software  development.  To  do  this  we 
must  understand  both  the  constituents  of  the  development  process,  and  the  total  process 
itself.  The  common  approaches  to  software  re-usability  are  well-illustrated  by  work  involv¬ 
ing  a  re-usability  of  system  components  (in  the  form  of  libraries,  etc  [Hor84]),  abstract  data 
types  [Emb87,Gog86],  and  specification  [Gau88].  Software  re-use  can  be  identified  with 
the  productive  re-use  of  software  design  and  development  in  the  planning,  construction, 
and  verification  of  software  systems;  a  knowledge-based  model  for  this  form  of  software 
process  re-use  is  described  in  Rattray  et  al  [Rat89b]. 

A  number  of  approaches  to  the  study  of  the  software  process  [Wil86a,ICS87,Hen89] 
have  been  suggested.  Typical  is  that  of  Osterweil  [Ost87]  where  the  view  is  put  forward 
that  software  processes  can  be  described  by  “programming”  them  in  much  the  same  way 
as  computer  applications  are  programmed.  A  criticism  of  this  by  Lehman  [Leh87]  is  that 
a  process  program  is  essentially  procedural  and  only  has  merit  if  the  problem  domain  is 
known  and  well-understood,  if  the  strategies  and  algorithms  for  achieving  the  desired  goals 
are  known,  and  if  the  managerial  and  administrative  practices  are  clearly  defined. 

Similar  criticisms  can  be  levelled  at  other  attempts  to  describe  software  processes  and 
so  the  need  to  develop  (mathematical)  models  or  meta-models  of  the  software  process 
has  become  essential.  Dowson  [Dow86]  gives  reasonable  definitions  for  “software  process”, 


“software  process  meta-model”  and  “software  process  model  5  Wileden  [Wil86b],  for  in¬ 
stance,  provides  a  possible  meta-model  which  agrees  with  Dowson’s  definitions.  None  of  the 
models  available  seem  appropriate.  They  lack  precision,  comprehensiveness,  consistency, 
and  an  adequate  theoretical  basis,  and  most  importantly  the  notion  of  variable  structure 
[Zei89].  These  difficulties  are  all  overcome  by  a  formal  (meta-)model,  evolutionary  and 
hierarchical  in  nature  and  based  on  a  re-interpretation  of  elementary  categorical  algebra, 
developed  by  Rattray  [Rat88b]  and  Rattray  and  Price  [Rat89a].  This  model  provides  a 
suitable  framework  within  which  to  consider  software  process  development  and  re-use. 

Within  this  evolving  hierarchical  framework,  systems  have  an  internal  organisation 
consisting  of  components  with  interrelations;  their  organisation  is  maintained  in  time  even 
though  their  components  are  changing;  their  components  are  divided  on  levels  correspond¬ 
ing  to  the  increasing  complexity  of  their  own  organisation.  The  state  of  a  system  at  any 
given  time  is  modelled  by  a  category,  the  state  transition  by  a  functor,  a  complex  compo¬ 
nent  by  the  (inductive)  limit  of  a  pattern  of  linked  components.  Categorical  constructions 
describe  the  stepwise  formation  of  a  system,  by  means  of  operations:  absorption  of  exter¬ 
nal  components  from  the  environment,  destruction  of  some  components,  formation  of  new 
complex  components.  By  defining  the  notion  of  a  mapping  (morphism),  compatible  with 
the  evolving  hierarchical  structure,  between  frameworks  it  is  possible  to  compare  software 
development  processes. 

In  many  situations,  software  maintenance  for  example,  our  knowledge  of  the  software 
product  may  not  be  complete  (lack  of  documentation,  change  of  personnel,  etc).  Informa¬ 
tion  to  and  from  the  software  system  may  then  be  supposed  to  be  conveyed  through  limited 
parts  of  it  called  “actors”,  dynamically  interacting  with  the  system.  Each  actor  has  only 
partial  information  of  the  system.  For  each  actor,  we  can  construct  a  category,  its  “field 
of  vision” ,  which  the  fragments  of  the  software  system  available  to  it;  these  fields 

are  connected  via  “communication”  functors.  From  this,  we  can  deduce  a  representation 
of  the  totality  of  fragments  attainable  through  the  actors.  For  the  outside  observer  the 
actors’  view  need  not  be  a  faithful  representation  of  the  actual  software  system  and  the 
difference  is  measured  by  a  “distortion”  functor.  The  actual  system  may  be  subject  to 
modifications  outside  the  scope  of  the  actors.  The  difference  between  the  software  system 
as  “anticipated”  by  the  actors  and  the  system  after  external  modification  can  be  mea¬ 
sured  by  a  comparison  functor;  the  measurement  represented  by  the  comparison  functor 
is  available  at  the  level  of  the  actors  and  indicates  how  to  reduce  the  difference. 

Tn  this  paper,  we  review  the  framework,  which  has  its  origin  in  the  biological  sciences 
[Ehr85,Ehr86],  as  a  vehicle  in  which  to  consider  models  of  the  software  process.  Using 
the  kinds  of  measurements  mentioned  above  we  illustrate  how  it  is  possible  to  devise 
construction  strategies  for  building  complex  systems  or  understanding  existing  software 
products.  As  an  application  of  the  evolutionary  hierarchical  framework,  we  indicate  how 
the  model  may  be  helpful  in  understanding  software  re-usability  by  considering  this  from 
the  point  of  view  of  re-usability  of  software  processes  [Rat88a].  The  same  framework  is 
being  developed  to  provide  the  underlying  model  for  the  design  of  a  practical  experimental 
program  design  environment  [Rat89a]. 


2  Elements  of  a  Meta-Model 


“A  system  is  a  set  of  units  with  relationships  among  them*  [Ber56].  The  notion  of  a 
category  matches  well  with  this  description  whereby  the  objects  of  the  category  model  the 
system  units  and  the  arrows  of  the  category  model  the  system  relationships.  Graphical 
descriptions  of  system  models  from  which  the  software  is  generated  are  equally  common. 
Typically,  SADT1  (Structured  Analysis  and  Design  Technique  [Mar87])  uses  hierarchies  of 
directed  graphs  the  nodes  of  which  have  a  particular  form.  Each  node  is  an  abstraction 
(complex  component)  the  internal  organisation  of  which  is  described  by  a  directed  graph. 

2.1  Complex  Components 

A  pattern  is  a  graph  morphism  P  :  G  —*  K  from  a  graph  G  to  a  graph  K.  Graph  G 
prescribes  the  shape  of  the  diagram  and  may  be  viewed  as  a  sketch  (a  prototype )  of  a 
system’s  structure,  ie  pattern  P  defines  a  pattern  of  linked  (related)  objects  in  K . 

Suppose  K  is  a  category  of  such  objects  and  P  is  a  pattern  of  objects  in  K,  whose 
prototype  is  G.  The  object  Pt,  indexed  by  the  node »  of  the  prototype  is  called  a  component 
of  K;  the  image  P(a)  of  an  arrow  a  of  the  prototype  is  a  specific  link  between  components. 
Such  a  specific  link  indicates  a  relationship  between  the  objects,  eg  a  form  of  module 
coupling,  a  data  flow,  file  transfer,  network  link,  a  dependency  relation,  .... 

The  key  notion  in  developing  complex  components  of  any  software  system  lies  in  the 
need  to  ensure  that  system  changes  have  only  a  localised  effect.  Essentially,  the  complex 
component  has  a  certain  external  behaviour,  determined  by  its  internal  organisation  and 
function  which  is  unknown  and  unavailable  to  the  environment  of  the  component.  Thus, 
internal  changes  to  the  component  which  preserve  the  external  behaviour  will  have  no 
adverse  effects  on  the  environment  .This  localisation  property  is  known  as  “information 
hiding*  [Par72]. 

The  idea  of  stepping  back  from  the  detailed  internal  behaviour  of  a  component  so 
that  our  understanding  of  the  component  is  determined  by  its  external  behaviour  is  called 
abstraction.  An  excellent  definition  [Weg76],  due  to  Wegner,  says 

An  abstraction  of  an  object  is  a  characterisation  of  the  object  by  a  subset  of 
its  attributes  ....  If  the  attribute  subset  captures  the  “essential”  attributes  of 
the  object,  then  the  user  need  not  be  concerned  with  the  object  itself  but  only 
with  the  abstract  attributes. 

A  collective  link  of  the  pattern  P  to  the  object  C  of  the  category  is  a  family  of  arrows 
fi,  indexed  by  the  nodes  of  the  prototype  G,  where  /,•  is  an  arrow  from  the  component 
Pi  to  G,  which  satisfies  the  compatibility  condition:  if  a  is  an  arrow  from  i  to  j  in  the 

1SADT  is  a  trademark  of  SofTech,  Inc. 
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prototype,  then  fi  is  the  composition  of  -P(ct)  and  /«?  ic 

U  =  (P,  Si  Pt  Ju  C) 

An  inductive  limit  of  pattern  P  is  an  object  C'  of  the  category  K  such  that,  for  any 
object  C,  the  arrows  from  C"  to  C  are  in  one-one  correspondence  with  the  collective  links 
from  P  to  C.  The  unique  arrow  /  associated  with  the  collective  link  (/„•)  is  said  to  bind 

the  fiS. 

Thus,  the  limit  object  binds  together  the  component  objects  according  to  their  internal 
organisation  determined  by  the  corresponding  prototype.  The  component  Pi  of  the  pattern 
P  is  called  a  component  object  of  the  limit  C'.  The  properties  of  an  object  depend  on  the 
number  and  nature  of  the  arrows  which  link  it  to  other  objects  of  the  category  K.  It  is 
natural  to  compare  the  properties  of  the  complex  object  C'  with  those  of  its  components. 

The  category  K  models  the  environment  of  the  pattern  P.  Modification  of  the  envi¬ 
ronment  category  may  take  various  forms.  For  instance,  enlarging  K  to  L  or  blurring  the 
distinction  between  two  K  objects  in  L  may  make  retaining  the  limits  difficult.  It  may  be 
that  a  pattern  P  cannot  be  bound  to  a  limit  in  K  but  can  be  forced  to  have  a  limit  in  an 
extended  environment  L. 

A  modification  to  the  environment  will  be  modelled  by  a  functor  F  from  K  to  a  “new” 
category  L.  The  image  pattern  of  P  by  F  is  the  pattern  Q  of  linked  objects  in  L  defined 
by  the  composition  of  P  and  F.  Functor  F  preserves  collective  links  and  cones  but  not 
necessarily  limits.  Changing  the  environment  K  may  change  the  behaviour  of  a  pattern  of 
linked  objects.  This  suggests  the  possibility  of  changing  the  environment  purposely  so  that 
complex  objects  binding  given  patterns  of  linked  objects  may  be  formed.  To  achiev e  this  a 
functor  F  from  K  to  the  “smallest  possible”  category  L  containing  K  must  be  constructed 
such  that  the  image  of  each  pattern  P  admits  a  limit  in  L,  and  the  image  of  each  given 
cone  is  a  limit-cone. 


2.2  Hierarchical  Systems 

A  hierarchical  system  is  a  category  K  in  which  the  objects  are  distributed  on  levels 
(0, 1, . . .  ,p),  such  that  each  object  of  level  »  +  1  (n  <  p)  is  the  limit  in  K  of  a  pattern  P 
of  linked  objects  on  level  n. 

In  such  a  hierarchical  system  the  system  components  are  associated  with  levels  corre¬ 
sponding  to  increasing  complexity  of  their  internal  organisation.  Any  object  at  level  n  + 1 
is  the  limit  of  a  pattern  of  linked  objects  at  level  n  but  it  may  form  part  of  a  pattern  of 
linked  objects  whose  limit  is  at  level  n  +  2.  A  functor  between  hierarchical  systems  pre¬ 
serves  hierarchies  if  it  does  not  raise  the  level  of  an  object  and,  indeed,  any  two  hierarchical 
systems  may  be  compared  from  some  particular  level  upwards. 


2.3  Evolution  of  a  System 

Software  changes  with  time  (in  its  development  phase  and  during  its  use);  new  compo¬ 
nents  are  formed,  either  added  from  an  external  source  or  by  construction  from  simpler 
components;  old  components  may  be  re-organised  or  discarded. 

To  model  this  situation  the  state  of  the  system  at  “time”  t  is  represented  by  a  category 
Kt,  and  its  state  transition  is  determined  by  a  functor  from  Kt  to  K«,  its  state  at  a  later 
time  t*  (there  is  no  requirement  for  the  objects  and  arrows  at  t  and  t*  to  be  the  same).  A 
component  is  “new”  at  time  t  if  it  has  no  earlier  state. 

An  evolutionary  (hierarchical)  system  K  is  just  a  functor  from  a  subcategory  T  of  the 
category  of  time,  Time,  to  a  category  of  categories. 

To  compare  software  process  models  within  this  system  we  need  to  define  a  morphism 
between  evolutionary  systems,  ie.  to  compare  states  of  the  systems  at  corresponding  times. 

Let  K  be  an  evolutionary  system  on  T,  and  L  an  evolutionary  system  on  U  (a  sub¬ 
category  of  Time).  A  morphism  from  K  to  L  consists  of  a  functor  <p  from  T  to  TJ  and  a 
natural  transformation  from  K  to  the  composite  of  <p  and  £.  This  leads  to  the  category 
of  evolutionary  systems. 


3  Conclusions 

A  meta-model  for  the  software  process  has  been  outlined.  This  is  based  on  some  elementary 
properties  of  categorical  algebra.  The  meta-model  provides  the  framework  within  which 
to  discuss  software  process  models,  to  compare  them,  and  perhaps  to  develop  new  ones. 
The  same  framework  can  lead  quite  naturally  to  the  design  of  a  knowledge-based  software 
design  environment  which  promotes  the  notion  of  software  process  re-usability. 
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1  Introduction 

This  note  introduces  the  concept  of  path  grammar,  which  allows  the  speci¬ 
fication  of  paths  in  a  directed  graph  by  a  method  generalizing  the  ordinary 
concept  of  grammar  for  strings  in  an  alphabet.  The  concept  of  derivation 
and  the  special  notion  of  context-free  path  grammar  are  defined.  A  pumping 
lemma  for  context-free  path  languages  is  stated. 


2  Graphs  and  2-graphs 

By  graph  we  mean  a  directed  graph;  we  allow  loops  and  we  allow  more 
than  one  arrow  between  the  same  pair  of  nodes.  A  graph  generates  a  free 
category  with  the  universal  property  that  every  graph  homomorphism  to  the 
underlying  graph  of  a  category  lifts  to  a  functor.  A  node  n  of  a  graph  is  a 
source  if  there  is  a  path  from  n  to  each  other  node  of  the  graph,  and  a  sink 
if  there  is  a  path  to  n  from  each  other  node  in  the  graph. 

A  2-graph  is  a  graph  with  possibly  some  2-cells.  A  2-cell  may  be  thought 
of  as  an  arrow  between  paths.  Precisely,  a  2-cell  has  a  source  and  a  target, 
each  of  which  is  a  path  in  the  graph  with  the  same  beginning  and  ending 
nodes.  The  source  and  target  of  the  2-cell  may  be  the  same  and  there  may 
be  more  than  one  2-cell  between  the  same  two  paths. 

A  2-category  is  a  category  C  with,  for  each  pair  of  objects  A,  B,  a 
category  structure  on  Hom(A,  B)  satisfying  certain  requirements  spelled  out, 
for  example,  in  reference  jK].  The  arrows  of  the  category  Hom(A,  B)  are 
called  2-cells.  A  2-graph  generates  a  free  2-category  with  universal  property 
analogous  to  that  of  the  free  category  generated  by  a  graph. 
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3  Path  grammars 

A  path  in  a  graph  is  a  generalization  of  a  string  in  an  alphabet:  it  is  a 
generalization  because  one  can  describe  the  characters  in  the  alphabet  as 
loops  in  a  one-node  graph.  In  general,  one  does  not  get  arbitrary  strings 
of  arrows  in  the  graph:  they  must  compose  head  to  tail.  This  suggests  the 
possibility  of  describing  the  well  formed  programs  of  a  programming  language 
as  paths  in  a  graph  in  which  the  nodes  are  the  types  and  the  arrows  are  the 
operations.  The  composition  operation  is  automatically  typechecked  in  such 
a  description. 

3.1  Grammars  The  concept  of  2-graph  allows  the  possibility  of  build¬ 
ing  a  theory  of  grammars  for  paths  in  a  graph  which  is  analogous  to  and 
incorporates  the  ordinary  concept  of  grammar  or  production  system. 

Definition  3.1  A  path  grammar  Q  =  (G,  V,  T,  S)  consists  of  a  2-graph 
G  whose  arrows  are  the  union  of  two  disjoint  sets  V  (the  variables)  and  T 
(the  terminals),  together  with  a  distinguished  arrow  S  in  V.  The  2-cells  are 
called  productions. 

Definition  3.2  The  grammar  (G,  V,T,  S)  is  context-free  if  the  begin¬ 
ning  of  every  production  is  a  path  of  length  I. 

3.2  Derivations  A  context-free  grammar  in  the  usual  sense  comes 
with  the  concept  of  a  derivation  tree  of  a  string.  The  author  is  unaware  of 
generalizations  of  this  concept  to  larger  classes  of  grammars.  However,  work 
of  A.  J.  Power  [P]  leads  to  a  natural  general  idea  of  derivation. 

Definition  3.3  A  pasting  scheme  is  a  planar  graph  D  with  the  following 
properties: 

P.l  D  has  a  source  and  a  sink. 

P.2  For  every  interior  face  F  of  D,  there  are  distinct  vertices  s(F)  and  t(F) 
and  directed  paths  &(F)  and  r(F)  from  s(F)  to  t(F)  such  that  the 
boundary  of  F  is  <r(F)[r(F)]fl. 

D  is  a  context-free  pasting  scheme  if  for  each  face  F,  the  path  cr(F)  required 
by  P.2  is  of  length  1. 

A  pasting  scheme  D  has  a  canonical  2-graph  structure  whose  underlying 
graph  is  D  and  which  has  one  2-cell  a(F) :  cr(F)  -»•  r(F)  for  each  face  F  of 

D. 


Definition  3.4  Let  Q  a  (G,  V,T ,S)  be  a  path  grammar.  A  derivation 
consists  of 

D.l  A  pasting  scheme  D. 

D.2  A  2-graph  homomorphism  h  from  the  canonical  2-graph  structure  on 
the  scheme  D  to  G. 

If  the  external  boundary  of  D  is  arR,  where  a  and  r  are  paths  from  the  source 
to  the  sink  of  D,  and  a  and  r  are  labeled  via  h  by  paths  w  and  x  respectively, 
then  D  is  said  to  be  a  derivation  of  x  from  to. 

It  follows  from  Theorem  3.3  of  Power  [P]  that  the  2-cells  in  a  derivation 
compose  to  a  unique  2-cell  in  the  free  category  generated  by  G.  In  the  case 
of  an  ordinary  context-free  grammar  (so  G  has  one  node)  a  derivation  is 
equivalent  to  what  is  called  a  derivation  tree  in  [HU]. 


4  The  language  of  a  grammar 

Theorem  4.5  LetQ  =  (G,V,T,S)  be  a  grammar.  The  language  L(Q) 
of  Q  is  the  set  of  paths  w  in  G  with  the  properties: 

L.l  All  of  the  arrows  in  w  are  in  T. 

L.2  There  is  a  derivation  of  w  from  S. 

A  set  L  of  paths  in  a  graph  is  context  free  if  the  graph  underlies  the 
2-graph  G  of  a  finite  context-free  path  grammar  Q  and  L  is  the  language  of 

Q. 

When  a  grammar  is  applied  to  the  specification  of  programs  in  a  functional 
programming  language,  a  particular  choice  of  initial  arrow  S  produces  the  set 
of  all  programs  with  specific  input  and  output  types. 

4.1  A  pumping  lemma  The  following  theorem  is  a  generalization 
of  the  pumping  lemma  for  ordinary  context  free  grammars  and  is  proved  in 
the  same  way. 

Theorem  4.6  Let  L  be  a  context-free  set  of  paths  in  a  graph  G.  Then 
there  is  an  integer  n  for  which,  if  z  is  a  path  in  L  of  length  greater  than  n,  then 
.  there  is  a  composable  sequence  (u,  v,  w,  x,  y)  of  paths  in  G  with  the  following 
properties: 


PL.l  The  composite  vwx  has  length  <  n. 

PL.2  Both  v  and  x  are  loops. 

PL.3  Either  v  or  x  is  nonempty. 

PL.4  z  =  uvwxy. 

PL.5  For  every  nonnegative  integer  m.  uvmwxmy  €  L. 


5  Remarks 

Context-free  grammars  have  long  been  used  as  a  first  cut  in  defining  pro¬ 
gramming  languages.  These  do  not  completely  define  the  language  because 
of  additional  context-sensitive  restrictions  such  as  type  checking  and  bound 
checking.  Type  checking,  but  not  bound-checking,  is  handled  automatically 
by  the  use  of  context-free  path  grammars. 

By  adding  equations  on  the  paths  and  requirements  on  the  nodes  of  a 
path-grammar  which  force  them  to  be  limits  (as  in  the  theory  of  sketches, 
[WB]  and  [W])  it  should  be  possible  to  handle  bound-checking  as  well.  This 
is  the  subject  of  current  joint  work  with  A.  J.  Power. 
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Abstract 

We  give  a  correspondence  between  enriched  categories  and  the  Gauss-Kleene-Floyd-Warshall 
connection  familiar  to  computer  scientists.  This  correspondence  shows  this  generalization  of 
categories  to  be  a  close  cousin  to  the  generalization  of  transitive  closure  algorithms.  Via  this 
connection  we  may  bring  categorical  and  2-categorical  constructions  into  an  active  but  alge¬ 
braically  impoverished  arena  presently  served  only  by  semiring  constructions.  We  illustrate 
these  techniques  by  applying  them  to  Birkoff’s  poset  arithmetic,  interpretable  as  an  algebra  of 
“true  concurrency.” 

The  Floyd-Warshall  algorithm  for  generalized  transitive  closure  [AHU74]  is  the  code  fragment 

for  v  do  for  u,  w  do  ^UVJ  H“  —  &uv  *  &VVJm 

Here  8UV  denotes  an  entry  in  a  matrix  8,  or  equivalently  a  label  on  the  edge  from  vertex  u  to  vertex 
v  in  a  graph.  When  the  matrix  entries  are  truth  values  0  or  1,  with  +  and  •  interpreted  respectively 
as  V  and  A,  we  have  Warshall’s  algorithm  for  computing  the  transitive  closure  8  +  of  8,  such  that 
Stv  =  1  just  when  there  exists  a  path  in  8  from  u  to  v.  When  the  entries  are  nonnegative  reals, 
with  +  as  min  and  •  as  addition,  we  have  Floyd’s  algorithm  for  computing  all  shortest  paths  in  a 
graph:  8+v  is  the  minimum,  over  all  paths  from  u  to  v  in  5,  of  the  sum  of  the  edges  of  each  path. 

Other  instances  of  this  algorithm  include  Kleene’s  algorithm  for  translating  finite  automata  into 
regular  expressions,  and  Gauss’s  algorithm  for  inverting  a  matrix,  in  each  case  with  an  appropriate 
choice  of  semiring. 

Not  only  are  these  algorithms  the  same  up  to  interpretation  of  the  data,  but  so  are  their  correctness 
proofs.  This  begs  for  a  unifying  framework,  which  is  found  in  the  notion  of  semiring.  A  semiring 
is  a  structure  differing  from  a  ring  principally  in  that  its  additive  component  is  not  a  group  but 
merely  a  monoid,  see  AHU  [AHU74]  for  a  more  formal  treatment. 

Other  matrix  problems  and  algorithms  besides  Floyd-Warshall,  such  as  matrix  multiplication  and 
the  various  recursive  divide-and-conquer  approaches  to  closure,  also  lend  themselves  to  this  ab¬ 
straction. 

This  abstraction  supports  mainly  vertex- preserving  operations  on  such  graphs.  Typical  operations 
are,  given  two  graphs  $,  e  on  a  common  set  of  vertices,  to  form  their  pointwise  sum  8  +  e  defined  as 
(5  +  e)uw  =  5ut,  +  €uv ,  their  matrix  product  Se  defined  as  ($e)uu  =  8U-  *  (inner  product),  along 
with  their  transitive,  symmetric,  and  reflexive  closures,  all  on  the  same  vertex  set. 

We  would  like  to  consider  other  operations  that  combine  distinct  vertex  sets  in  various  ways.  The 
two  basic  operations  we  have  in  mind  are  the  disjoint  union  and  cartesian  product  of  such  graphs, 
along  with  such  variations  of  these  operations  as  pasting  (as  not-so-disjoint  union),  concatenation 
(as  a  disjoint  union  with  additional  edges  from  one  component  to  the  other),  etc. 

An  efficient  way  to  obtain  a  usefully  large  library  of  such  operations  is  to  impose  an  appropriate 
categorical  structure  on  the  collection  of  such  graphs.  In  this  paper  we  show  how  to  use  enriched 
categories  to  provide  such  structure  while  at  the  same  time  extending  the  notion  of  semiring  to  the 
more  general  notion  of  monoidal  category.  In  so  doing  we  find  two  layers  of  categorical  structure: 
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enriched  categories  in  the  lower  layer,  as  a  generalization  of  graphs,  and  ordinary  categories  in  the 
upper  layer  having  enriched  categories  for  its  objects-  The  graph  operations  we  want  to  define  are 
expressible  as  limits  and  colimits  in  the  upper  (ordinary)  categories. 

We  first  make  a  connection  between  the  two  universes  of  graph  theory  and  category  theory.  We 
assume  at  the  outset  that  vertices  of  graphs  correspond  to  objects  of  categories,  both  for  ordinary 
categories  and  enriched  categories.  The  interesting  part  is  how  the  edges  are  treated. 

The  underlying  graph  Z7(C7)  of  a  category  C  consists  of  the  objects  and  morphisms  of  C,  with 
no  composition  law  or  identities.  But  there  may  be  more  than  one  morphism  between  any  two 
vertices,  whereas  in  graph  theory  one  ordinarily  allows  just  one  edge.  These  “multigraphs”  of 
category  theory  would  therefore  appear  to  be  a  more  general  notion  than  the  directed  graphs  of 
graph  theory. 

A  staple  of  graph  theory  however  is  the  label,  whether  on  a  vertex  or  an  edge.  If  we  regard  a 
homset  as  an  edge  labeled  with  a  set  then  a  multigraph  is  the  case  of  an  edge-labeled  graph  where 
the  labels  are  sets.  So  a  multigraph  is  intermediate  in  generality  between  a  directed  graph  and  an 
edge-labeled  directed  graph. 

So  starting  from  graphs  whose  edges  are  labeled  with  sets,  we  may  pass  to  categories  by  specifying 
identities  and  a  composition  law,  or  we  may  pass  to  edge-labeled  graphs  by  allowing  other  labels 
than  sets.  What  is  less  obvious  is  that  we  can  elegantly  and  usefully  do  both  at  once,  giving  rise  to 
enriched  categories.  The  basic  ideas  behind  enriched  categories  can  be  traced  to  Mac  Lane  [Mac65j, 
with  much  of  the  detail  worked  out  by  Eilenberg  and  Kelly  [EK66],  with  the  many  subsequent 
developments  condensed  by  Kelly  [Kel82].  Lawvere  [Law73]  provides  a  highly  readable  account  of 
the  concepts. 

We  require  of  the  edge  labels  only  that  they  form  a  monoidal  category .  Roughly  speaking  this 
is  a  set  bearing  the  structure  of  both  a  category  and  a  monoid.  Formally  a  monoidal  category 
D  =  (i?,®,/,  a,A,p)  is  a  category  D  =  {D^m,i)y  a  functor  ®  :  D2  —►  D,  an  object  I  of  D,  and 
three  natural  isomorphisms  a  :  c  ®  (d  ®  e)  — ►  (c  ®  d)  ®  e,  A  :  J  ®  d  — ►  d,  and  p  :  d  ®  I  — *  d.  (Here 
c  ®  (d ®  e)  and  (c  ®  d)  ®  e  denote  the  evident  functors  from  Dz  to  D,  and  similarly  for  I  ®  d,  d ®  I 
and  d  as  functors  from  D  to  D ,  where  c,  dy  e  are  variables  ranging  over  D .)  These  correspond  to  the 
three  basic  identities  of  the  equational  theory  of  monoids.  To  complete  the  definition  of  monoidal 
category  we  require  a  certain  coherence  condition,  namely  that  the  other  identities  of  that  theory 
be  “generated”  in  exactly  one  way  from  these,  see  Mac  Lane  [Mac7l]  for  details. 

A  D -category,  or  (small)  category  enriched  in  a  monoidal  category  D ,  is  a  quadruple  (V,  8,  m,  i) 
consisting  of  a  set  V  (which  we  think  of  as  vertices  of  a  graph),  a  function  S  :  V2  — ►  JDo  (the 
edge-labeling  function),  a  family  m  of  morphisms  muvw  :  6(u,t/)  ®  <5(v,tt;)  — ►  5(u,tu)  of  D  (the 
composition  law),  and  a  family  *  of  morphisms  iu  :  /  — ►  5(u,u)  (the  identities),  satisfying  the 
following  diagrams. 


($(u,  v)  ®  S(v ,  ty))  ®  £(ty,  x) 
muv  tu  ®  1 
6(u,w)  ®  S( w,x) 


v)  6(w,x) 


muwx 


S(u,  a:) 


mu 


S(u,  v)  ®  (£(v,  w)  ®  6(w ,  x)) 

1  ®  TTlffyjx 

S(u,  u)  ®  $(v,x) 


I  ®  S(u,  v) 
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6(u,v )  ®  I 


5(u,u) 


»u®  1 


1  ®  I  y 
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5(u,u)  ®  $(u,v)  - >  S(u,v)  < -  S(u,  v)  ®  S(v,  v) 


Inspection  reveals  the  first  of  these  as  expressing  abstractly  the  associativity  of  composition  and 
the  second  as  expressing  the  behavior  of  identities. 

Associated  with  the  notion  of  V  -category  is  that  of  D  -functor  F  :  A  —*  B  where  A  and  B  are 
V -categories.  This  is  just  like  an  ordinary  functor  for  its  object  part,  mapping  objects  of  A  to 
objects  of  B  via  /  :  ob(A)  — ►  ob(B).  The  usual  morphism  part  of  a  functor  now  becomes  a  family 
ruu  :  SA(u, v)  — >  SB(fu,  fv )  of  morphisms  of  D: 


. _  "  ,  V 


/« 


fv 


which  compose  vertically  in  the  obvious  way. 

The  class  of  all  D  -categories  and  D  -functors  then  forms  a  (large)  category,  called  P-Cat. 

The  category  Cat  of  all  small  categories  can  now  be  seen  to  be  Set-Cat.  Rendering  this  abstraction 
more  accessible  and  appealing  is  the  very  pretty  case  D  =  R>T0  =  (( R>o ,  >),+,0),  reverse-ordered 
nonnegative  reals  under  addition,  for  which  R-Cat  becomes  the  category  of  (generalized)  met¬ 
ric  spaces,  with  the  composition  law  as  the  triangle  inequality  and  functors  as  contracting  maps 
[Law73].  Enriched  categories  first  appeared  in  computer  science  with  V  =  Poset  =  ( Poset ,  x,l) 
[Wan79]  yielding  order-enriched  categories,  a  natural  notion  for  domain  theory.  Poset  itself  is  de¬ 
finable  as  (the  antisymmetric  subcategory  of)  ({{0, !},—►),  A,  1)-Cat,  categories  enriched  in  truth- 
values. 

We  may  now  make  the  connection  with  semirings.  The  enriching  monoidal  category  (JD,  ® ,  7,  a,  A,  p) 
has  for  Do  the  set  of  edge  labels,  for  ®  the  semiring  multiplication,  and  for  its  coproduct  (which 
therefore  needs  to  exist  in  D )  the  semiring  addition.  The  usual  requirement  of  distributivity  of  mul¬ 
tiplication  over  addition  is  met  when  when  V  is  biclosed — ®  has  a  right  adjoint  in  both  arguments — 
with  D  closed  corresponding  to  one-sided  distributivity.  (In  these  situations  D  cartesian  closed  is 
the  exception  rather  than  the  rule.) 

Although  the  literature  has  tended  to  make  enriched  categories  seem  if  anything  more  abstract  and 
forbidding  than  ordinary  categories  to  most  computer  scientists,  this  perspective  puts  enrichment 
in  quite  a  different  light  for  those  familiar  with  the  Floyd-Warshall  connection.  For  D  a  preorder 
with  finite  coproducts,  enriched  categories  simply  become  the  reflexive  and  transitive  edge-labeled 
graphs  output  by  the  Gauss-Kleene-Warshall-Floyd  algorithm.  For  D  not  a  preorder,  such  as  Set  or 
Cat,  yielding  respectively  ordinary  categories  and  2-categories,  the  notion  becomes  more  involved 
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(to  which  a  categoriphobe  might  say  “Ah,  so  that’s  the  problem”)  but  necessarily  so  for  Gauss  s 
algorithm,  whose  semiring  addition  is  not  idempotent. 

This  is  a  nice  perspective  in  its  own  right,  but  it  becomes  considerably  more  useful  when  the  2- 
categorical  structure  of  P-Cat  is  brought  to  bear  on  the  description  of  particular  algebras.  We 
illustrate  this  by  applying  it  to  the  categorical  treatment  of  Birkhoff’s  arithmetic  of  posets  [Bir42] 
and  its  generalization  to  other  metrics  besides  the  truth-valued  metric  used  for  posets.  This  arith¬ 
metic  provides  a  nice  abstraction  of  the  sort  of  concurrency  operations  we  have  been  advocating 
[Pra86]  to  make  the  “true  concurrency”  or  partially-ordered-time  approach  more  algebraic 

Birkhoff  defines  six  operations  on  posets:  addition,  multiplication,  and  exponentiation,  each  in 
a  cardinal  and  an  ordinal  version,  as  a  way  of  unifying  cardinal  and  ordinal  arithmetic.  (In  the 
concurrency  connection  cardinal  vs.  ordinal  corresponds  to  parallel  vs.  sequential.)  The  cardinal 
operations  are  conveniently  described  as  universal  in  Poset,  the  ordinals  not  quite  so  conveniently 
categorically,  but  2-categorically  ordinal  addition  becomes  just  cocomma,  indicating  that  the  move 
from  parallel  to  sequential  can  usefully  be  accompanied  by  a  move  from  categories  to  2-categories. 

Birkhoff  arithmetic  admits  useful  generalizations  to  other  semirings  qua  monoidal  categories,  suit¬ 
able  for  modelling  real-valued  time  in  various  forms:  upper  bounds,  lower  bounds,  intervals,  and 
arbitrary  sets  of  reals,  each  associated  with  a  specific  monoidal  category,  but  with  the  definitions  of 
the  associated  arithmetic  operations  unchanged .  These  generalizations  in  turn  suggest  additional 
constructs,  also  definable  universally,  that  would  have  been  meaningless  or  degenerate  in  Birkhoff’s 
original  framework,  but  that  have  useful  applications  to  the  specification  of  real-time  processes. 

The  prospect  of  a  connection  with  Girard’s  linear  logic  obliges  us  to  point  out  that  as  both  an 
expansion  and  a  nonconservative  extension  of  the  above  theory,  linear  logic  with  negation  is  too 
strong  for  the  purposes  of  making  the  connections  of  this  paper,  which  are  more  appropriately 
described  as  aspects  of  a  fragment  of  linear  logic. 
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Abstract:  Generalized  automata  are  a  tool  for  efficient  algorithms  design... 

A  short  introduction  to  the  usual  Tree  Automata:  The  definition  is  a  natural 
generalization  of  the  usual  word  automata,  (see  for  example  [5,17,26]  for  the  algebraic  frame  and 
[22]  for  the  algorithmic  point  of  view).  From  an  "algebraic  data  types"  point  of  view,  states  can 
be  seen  as  sorts  of  an  underlying  ordered  sorted  algebra  [2]. 

Example:  Let  M  the  (bottom-up,  i.e.  frontier-to-root)  tree  automata  defined  by  the  ranked 
alphabet  A,  the  set  S  of  states,  the  set  F  of  final  states  (F  is  a  subset  of  S)  and  the  set  R  of  rules 
(each  rule  can  be  seen  as  a  signature): 

A  -  {+,V,-,  sue,  1,0).  +,*,/  and  -  are  binary  operators  (rank  2);  sue  is  unary  (rank  1); 

1  and  0  are  constants  (rank  0).  S  =  (real,  ini.  bQOl) I 

rules:  o  ->  isal ;  o  — >  ini ;  o-^  tmi ;  i  -» teal ;  i  ini ;  i  -*  basil ; 

+(  real,  reah  -4  real  ;  +( ini,  ini )  -4  ioL  I  +(  bool.,  bool  )  -4  bflfil  ; 

*(  real,  reaii  -»  iaai :  *(  ini,  ini )  -4  inL :  *(  bool,  bQ.al )  -4  ban!  ; 

-( maL  taaD  -»  inai ;  -( ini,  ini )  ->  ioL ;  /( iaaL  taal)  -» isal ;  suc(  ini )  -» ini 
ini  -*  xaal  (sorte  inclusion  is  denoted  by  this  special  kind  of  rule  without  fonction  symbol, 

also  called  8 -transition) 

Intuitively,  the  automaton  M  computes  from  the  leaves  to  the  root  the  sort  of  a  term  t.  (M[t] 
denotes  the  set  of  states  reached  by  M  at  the  top  of  t).  It  fails  if  a  term  is  bad-sorted  and  it  is 
non-deterministic  because  a  term  can  get  several  sorts.  M  is  said  deterministic  iff  no  M[t] 
contains  two  states. 

Example:  M[0]  -  (real,  int.  bool):  M[-{1,1)]  -  (inal,  ini  };  M[/(1  ,+(1,1)]  =  {iaai}  ; 
M[suc(/(1,+(1,1))]  is  empty  (i.e.  M  fails). 

A  term  t  is  recognized  iff  M[t]  contains  at  least  a  final  state.  A  set  of  terms  is  recognizable  iff 
it  is  the  set  of  terms  recognized  by  some  automata. 

There  exists  an  algorithm  of  non-determinism  reduction  and  an  algorithm  of  minimalization; 
they  work  like  in  the  word  case.  So,  M'  below  is  the  minimal  deterministic  automaton  equivalent 
to  M. 

rules  of  M':  0  -4  rib  ;  1  -4  rib;  +(rib,rib)  -4  rib  ;  "(rib, rib)  -4  rib  ;  -(rib, rib)  -4  ri; 
/(rib)  -4  r  ;  succ(rib)  -4  i  ;  +(ri,rib)  —»  ri  ;  +(rib,ri)  -4  ri;  +(ri,ri)  -4  ri;  "(ri.rib)  -4  ri 
;  "(rib.ri)  -4  ri;  "(ri.ri)  -4  ri;  -(ri.rib)  -4  ri  ;  -(rib.ri)  -4  ri;  -(ri,ri)  -4  ri;  -(rib.rib) 
— >  ri;  /(ri)  -4  r  ;  succ(ri)  -4  i  ;  +(i,rib)  -4  i  ;  +(i,ri)  -4  i  ;  +(ri,i)  -4  i  ;  +(r,rib)  -4  r 

etc...  etc...  .  (intuitively,  ri  can  be  identified  to  [teal  ini }  etc...  . 

Remark  that  the  semantic  of  M  is  clear  but  not  that  one  of  M'  .  It  is  very  usual  to  translate 
some  algorithm  (or  to  compile  some  program)  to  get  an  efficient  but  "non-signifiant"  algorithm. 
Here,  M*  is  very  efficient  in  time  but  the  number  of  rules  can  exponencialy  increase  for  obvious 
reasons.  The  complexity  of  the  non-determinism  reduction  is  coded  in  other  usual  problems,  as 
equivalence  of  two  automata.  Nevertheless,  in  usual  cases,  the  number  of  rules  does  not  increase  a 
lot.  Furthermore,  it  is  possible  to  use  dynamic  programming  k  la  Morris  and  Pratt  to  get  linear 
classes  of  algorithms  (like  for  recognizion  of  a  term  or  a  subterm).  Efficient  algorithms  are 
designed  using  transitive  closure,  by  a  way  closely  related  to  congruence  closures  in  graphs 
[27,33]. 

An  important  toolbox  is  available;  it  links  the  algebraic  point  of  view  (i.e.  the  specification 


point  of  view)  and  the  algorithmic  point  of  view.  Roughly  speaking  it  generalizes  the  Kleene 
theorem: "  for  any  specification,  compile  the  best  algorithm".  A  lot  of  algebraic  tools  have b®®" 
studied.  Some  are  usual  from  the  categorical  point  of  view  but  sophisticated  transducers  (alite 
too  much  complicated!)  have  also  been  introduced  to  modelize  compilation  [18].  Most  of  them  have 

realistic  algorithmics  properties.  ,  .  . 

This  was  a  very  short  sketch  of  the  present  situation.  Using  these  tools,  and  tedious  analysis  of 
tree  structures  (  as  in  formal  language  theory)  we  recently  solved  the  following  problems  (stated 
in  [51  [141  [23],  [24],  [31  ]) decidability  of  the  confluence  of  ground  term  rewriting  systems 
[91  MOV  Decidability  of  the  fair  termination  of  ground  term  rewriting  systems  [37]; 
Undecidability  of  the  stability  of  recognizability  under  saturated  congruence  [36];  Undec.dab.hty 
of  code  problem  for  non-linear  trees  and  other  structures  [1];  Decidability  of  equality  of  the 
yields  of  rational  infinite  trees  [8];  Undecidability  of  termination  of  a  left-linear  rewriting  rule 
[121  We  are  designing  a  software  (VALERIAAN,  in  Prolog  [11]  ,[  [13]  )  for  theorem  proving, 
first  and  second  order  reachability  problems  [31],  etc...  in  some  classes  of  term  equations  and 
rewriting.  We  get  an  optimised  compiler  of  term  rewriting  which  solves  first  order  reachability 
in  linear  time.  Roughly  speaking,  we  use  dynamic  programming,  generalizing  the  famous  Morris 
and  Pratt  pattern-matching  algorithm. 

An  example  of  automata  used  to  solve  a  problem. 

The  problem  of  decidability  of  the  confluence  of  ground  term  rewriting  systems  was  stated  by 
Huet.  We  solved  it  recently  by  the  way  sketched  below.(  see  [9],  [10]) 

Definition  of  the  class  GTT  of  ground  tree  transducers  (gtt):  let  A  =  {(Lj, Rj)|0<i^n)  a  finite 

set  of  pair  of  recognizable  sets  of  trees.  The  corresponding  gtt  A  is  defined  by 

(u,v)e  A  iff  there  exists  t(x1 . xp)  u1,...up,  v1,...,vp  such  that,  u=t(u1,...,up),  v  = 

t(vi . vp)  and  for  all  i  (1^i<p)  there  exists  (Ljj.Rjj)  in  A  such  that,  ui  e  Ljj  and  vi  s  Rjj 

1/  Using  tree  automata  technics  we  prove  that  :  (i)  the  inverse  of  a  gtt  is  a  gtt;  (ii)  the 
composition  of  two  gtt  is  a  gtt;  (iii)  the  precongruence  closure  of  the  union  of  two  gtt  is  a  gtt; 

(iv)the  iteration  of  a  gtt  is  a  gtt.  ......  .  „  D  !e  _ 

21  Then  it  is  obvious  that  the  relation  R  associated  to  a  ground  term  rewriting  system  R  is  a 

gtt  (is  suffice  to  remark  that  a  ground  rewriting  step  is  a  gtt  and  use  1/) 

3/  R  is  confluent  iff  R  oR  *1  C  R  *1oR  (obvious).  We  then  can  to  code  R  onto  a 
recognizable  tree  langage  and  then  reduce  the  confluence  decision  to  the  inclusion  of  recognizable 
tree  langagues.4  4 


Furthermore,  using  this  characterization  of  ground  term  rewriting  systems,  we  get  efficient 
algorithms  to  solve  reachability  problems  (see  VALERIAAN).  (Gallier  &  all.  [29,30]  recently 
extended  the  method  of  matings  due  to  Andrews  to  first  order  languages  with  equality;  they  proved 
that  the  method  of  equational  matings  remains  complete  when  used  in  conjonction  with  a  restricted 
kind  of  E-unification  (rigid-unification)  using  ground  rewriting). 


Related  works  and  further  works:  logic  and  automata. 

One  of  the  motivations  of  tree  automata  was  decision  problems  of  second-order  logic.  [34] 
Recent  and  important  works  studied  connection  between  logic  and  automata  [6,35]. 

The  general  goal  is  to  associate  to  a  logical  system  a  class  of  automata  to  get  decision  properties 
on  the  underlying  objects  (finite  or  infinite  words,  trees,  graphs)[28,29,30].  This  way  provides 
very  powerful  results,  which  associate  to  logical  specifications  (which  can  be  seen  as  a  veryvery 
hight  level  of  specification)  decision  algorithms  by  the  way  of  automata  on  different  algebraic 
structures.  Unfortunately,  the  complexity  of  these  algorithms  is  not  realistic.  An  algebraic  and 
algorithmic  study  of  automata  on  these  structures  could  provide,  at  an  intermediate  level  of 
specification  including  heuristics,  useful  tools  for  an  interactive  design  of  efficient  algorithms. 

Our  study  of  weighted  graphs,  which  generalizes  usual  infinite  rational  trees  and  provide  a  tool 
for  decision  and  compexity  analysis  in  Logic  Programming,  illustrates  this  way.  The  algebraic 

structured  can  been  drawn  as  following  [7,15,16]: 
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usual  directed  graph  weighted  directed  graph 


An  other  way  is  to  extend  recognizable  sets  of  trees  to  recognizable  sets  of  trees  with  some  kind 
of  equality  control  between  subterms  [0,2,3].  For  example,  we  considere  automata  rules  which 
check  equalities  of  subterms  [0].  We  extend  the  classes  but  we  keep  good  decision  properties.  The 
results  can  be  used  for  some  decision  problems  in  algebras  containing  terms  with  non  linear 
signature. 
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In  a  series  of  papers  [5,6,7,8,14,15],  Mosses  and  Watt  define  action  semantics,  a  metalanguage  for  high  level, 
domain-independent  formulation  of  denotational  semantics  definitions.  Action  semantics  hides  details  about 
domain  structure  (e.g.,  direct  semantics  domains  vs.  continuation  semantics  domains  vs.  resumption  seman¬ 
tics  domains)  and  coercions  (e.g.,  integers  into  reals,  injections  of  summands  into  sum  domains)  to  encourage 
readability  and  modifiability.  Action  semantics  notation  is  of  interest  as  a  programming  language  of  itself, 
for  its  components  (called  actions)  are  polymorphic  operators  that  can  be  composed  in  three  fundamental 
ways. 

We  have  formulated  a  model  for  action  semantics  based  on  Reynolds’  category-sorted  algebra  [10,12]. 
In  the  model,  actions  are  natural  transformations,  and  the  composition  operators  become  compositions  in  a 
weak  “3-category”-like  structure.  We  have  used  the  model  to  prove  the  soundness  and  completeness  of  a 
unification-based,  decidable,  type  inference  algorithm  for  action  semantics  expressions.  The  proof  is  notable 
for  its  simplicity. 

Action  Semantics 

Actions  are  combinators;  they  operate  upon  kinds.  (Mosses  calls  them,  facets  [5,7]).  A  kind  is  a  collec¬ 
tion  of  types;  for  example,  the  functional  facet  is  the  kind  of  all  types  that  can  be  used  as  temporary  values  in 
a  computation.  The  types  int,  bool,  real,  boolxreal,  and  so  on,  belong  to  the  functional  facet  (Other  facets 
include  the  declarative  facet,  which  contains  types  of  identifier,  value  binding,  and  the  imperative  facet, 
which  contains  types  of  storage  structure.)  The  types  in  a  kind  are  pre-ordered  to  reflect  subtyping  relation¬ 
ships  [1,9,11]. 

Actions  are  polymorphic  mappings  on  kinds.  For  example,  the  action  copy  is  the  identity  mapping  on 
the  types  in  the  functional  facet,  and  the  action  succ  also  maps  functional  facet  values  to  functional  facet 
values;  it  increments  int  and  real  values,  and  it  maps  non-numbers  to  a  nonsense  value.  Actions  exist  for  all 
the  fundamental  operations  of  programming  languages;  value  passing,  arithmetic,  binding  creation  and 
access,  storage  allocation  and  updating,  and  so  on  [5,7,8]. 

Actions  can  be  composed.  Arguments  to  a  compound  action  may  pass  from  one  component  action  to 
the  other  sequentially,  in  parallel,  or  conditionally.  For  example,  the  compound  action  copy,  succ  accepts  a 
functional  facet  value  that  is  passed  sequentially  from  copy  to  succ,  and  the  output  is  the  incremented  value. 
The  action  copy* succ  accepts  a  value,  which  is  given  in  parallel  to  both  copy  and  succ.  The  two  results 
the  value  and  its  successor —  are  merged  together  into  a  pair.  Finally,  copy!  succ  accepts  a  value,  which  is 
conditionally  given  to  one  of  the  two  actions,  based  on  the  typing  of  the  value.  The  three  compositions  are 
used  to  define  derived  compositions  that  describe  value  flows  found  in  programming  languages.  For  exam¬ 
ple,  *  and  ;  are  combined  to  describe  the  flows  of  bindings  and  storage,  respectively,  in  command  sequenc¬ 
ing. 

Coercions  of  arguments  and  results  of  actions  occur  implicitly  and  naturally  (that  is,  the  placement  of 
coercions  does  not  affect  the  output  of  an  action).  For  example,  if  an  int  argument  is  given  to  succ,  but  con¬ 
text  demands  a  real  answer,  an  implicit  coercion  can  occur  either  on  the  argument  or  on  the  answer  and  the 


result  is  the  same  in  either  case. 

An  action  semantics  may  possess  many  kinds,  and  the  kinds  can  themselves  be  preordered.  The  compo¬ 
sition  operators  respect  the  subkinding. 

Category-Sorted  Algebra 

Action  semantics  demands  a  model  that  supports  the  Scott-domain  thoery  upon  which  denotational 
semantics  is  based.  Scott-domains,  subdomain  relationships,  and  polymorphic  operations  are  naturally 
described  within  category-sorted  algebra  ( csa )  [10,12].  The  appendix  gives  a  precise  definition  of  a  csa;  here 
we  supply  an  example  of  one  in  the  form  of  a  sample  functional  facet  Let  [copy,  succ]  be  a  set  of  action 
names  and  let  A  be  the  poset  of  type  names: 

ns 

/  \  , 

real  bool 

I 

int 

Let  Tcopy  be  the  identity  operation  on  the  poset  and  let  Tsuce  map  int  to  int,  real  to  real,  and  bool  and  ns  to 
ns.  ( Tcopy  and  Tsucc  are  the  “typing  functions”  for  actions  copy  and  succ.)  Now,  (A,  [Tcopy,  Tsucc})  forms  a 
single-sorted  algebra  (wa);  the  ssa  plus  the  operator  set  [copy ,  succ }  form  a  signature  for  a  csa. 

The  carrier  of  the  csa  is  a  functor  F:  A  =5 >Pdom  [Pdom  is  the  category  of  predomains,  i.e.,  “bottomless 
epos”)  that  maps  int  to  Z,  real  to  R,  bool  to  B,  and  ns  to  1  (the  terminal  object  in  Pdom).  The  functor  inter¬ 
prets  the  type  names  and  the  coercion  mappings  between  them.  The  operators  are  interpreted  as  natural 
transformations:  the  copy  operator  becomes  the  identity  natural  transformation  in  F  F°  Tcopy,  and  the  succ 
operator  becomes  a  natural  transformation  in  F  F  °  Tsucc.  The  natural  transformations  respect  the  coercion 
maps  established  by  the  carrier. 

Other  facets  are  defined  similarly.  Indeed,  the  complete  structure  of  action  semantics  is  defined  as  a  csa 
of  a  csa,  where  the  first  csa  defines  the  facet  hierarchy  (of  which  the  poset  seen  above  is  part),  and  the  second, 
many-sorted,  csa  defines  the  interpretation  of  the  facets  (of  which  the  csa  seen  above  is  part). 

The  csa  framework  accommodates  direct  and  continuation-style  denotational  semantics  for  actions.  An 
action  like  succ  can  be  defined  as  a  natural  family  of  direct  semantics  functions  in  Expressible- 
Value-*  Expressible-Value  or  as  a  natural  family  of  continuation  semantics  functions  in  ( Expressible- 
Value  — »  Answer)  — »  ( Expressible-Value  — »  Answer). 


Applications 

Action  semantics  expressions  are  uncluttered  by  typing  annotations;  nonetheless,  such  annotations  are 
invaluable  to  analysis  and  implementation.  We  have  defined  a  unification-based  type  inference  algorithm 
that  annotates  an  action  expression  with  a  typing  scheme  that  indicates  its  sensical  behavior  in  its  context  of 
use. 

The  algorithm  assigns  primitive  type  schemes  to  primitive  actions.  For  example,  the  actions  copy  and 
succ  are  given  type  schemes: 

copy:  0  0 

succ: 9— >0  if  Q<real 

The  second  scheme  says  that  succ  has  an  answer  type  that  matches  its  argument  type  if  the  argument  type  0 
satisfies  the  constraint  0  ^  real  [3,4]. 

A  composed  action  expression  has  its  type  scheme  inferred  from  the  types  of  its  components.  For 
actions: 


Q\’.CS\  — if  C\ 

and 

a2'.G2  tf  ^2 
the  algorithm  infers: 

(ai',a2):Uoi  ->U%2  if  U(C\  uC2) 

where  U  is  the  most  general  unifier  of  Xi  and  o2.  Other  foims  of  composition  are  treated  similarly. 

Let  action  a  have  a  typing  function  Ta  in  the  csa  interpretation.  A  typing  scheme  a:o-*T  if  C  is 
sound  if,  for  all  substitutions  U  such  that  Ua  is  a  completely  instantiated  type  name  and  U(Q  is  a  set  of  com¬ 
pletely  instantiated  constraints  that  hold  true,  Ta(Uo)=U%.  The  scheme  is  complete  if,  for  all  types  t, 
Ta  (f)  5*  ns  implies  there  exists  a  substitution  U  such  that  Uo=t  and  U(Q  is  a  completely  instantiated  set  of 
constraints  that  hold  true. 

We  have  proved  the  soundness  and  completeness  of  the  type  inference  algorithm.  No  complex  proof- 
theoretic  techniques  are  needed  to  establish  the  results,  because  the  csa  model  provides  simple,  significant 
information  in  the  form  of  the  Ta  typing  functions.  Further,  the  model  discourages  formulation  of  a  type 
inference  algorithm  that  attempts  to  insert  explicit  coercions.  Since  actions  are  natural  transformations,  coer¬ 
cions  are  unnecessary;  the  actions  must  respect  the  subtyping  ordering,  whether  coercions  are  used  or  not. 
Finally,  the  inference  algorithm  is  decidable,  since  natural  transformations  are  “shallow  universally 
quantified”  (like  the  polymorphic  operators  in  ML).  Thus,  many  of  the  sticky  problems  found  in  type  infer¬ 
ence  for  programming  languages  with  polymorphism  and  subtyping  are  avoided  by  selection  of  the  csa 
model. 

We  have  also  implemented  a  prototype  interpreter  for  action  semantics  along  the  lines  of  [14]  but  with  a 
more  careful  treatment  of  the  facet  flows  to  actions  [2]. 
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Appendix 

The  notation  and  definitions  are  from  [12].  Let  S=(Ob(S),Mor(S),  <>)  be  a  category;  assume  that  S  has 

finite  products. 

Definition:  An  £2- signature  is  a  pair  (£2,  ar),  where  £2  is  a  set  of  operators,  and  ar.  C1—>N  is  a  function 

that  gives  the  arity  of  the  operators. 

Definition:  A  (single-sorted)  Sl-algebra  ( based  on  S)  is  a  pair  A  —  (IAI,  { A^  I  toe  £2}),  where 

lAle  Ob(S)  is  the  carrier  of  the  algebra,  and  for  each  toe  £2,  operation  Am:  \A\ara^  IAI  is  in  Mor(S). 

Definition:  An  £2-7*  signature  is  a  triple  (£2,  ar,  T),  where  £2  and  ar  are  defined  as  above,  and  T  is  an  £2- 
algebra  based  on  PreO.  ( PreO  is  the  category  of  preordered  sets  and  monotone  mappings.) 

Definition:  An  £2-7  category-sorted  algebra  (based  on  S)  is  a  pair  A  =  (IAI,  { Au  I  toe  £2}),  where 

I A 1 :  1 71  =*  S,  the  carrier  of  A,  is  a  functor  from  1 71 ,  treated  as  a  category  in  the  usual  way,  to  category 
S;  and  for  each  toe  £2,  operation  A^:  I A I ar<0  IAI  °7W  is  a  natural  transformation,  where  7W  is  treated 
as  an  endofunctor  on  171. 

The  above  definitions  easily  generalize  to  many-sorted  algebras  and  category  many-sorted  algebras. 
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ABSTRACT  :  The  substitution  process  of  de  Bruijn  calculus  is  analysed  with  an  equationnal  theory, 
called  the  “de  Bruijn  Algebra*.  Two  optimisations  are  described  by  equations,  which  can  be  oriented  into 
term  rewriting  systems :  parallel  substitution  and  a  “labelled*  substitution  delaying  the  recoding  of  the 
argument  free  variables. 

KEYWORDS  :  A-calculus,  de  Bruijn  calculus,  substitution,  algebra,  equational  theory,  term  rewriting 
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Introduction 

Tmp1»mAntatir>n«  of  functional  languages  rely  on  A-calculus  as  a  firm  mathematical  ground.  Lambek  [3] 
showed  a  close  relation  between  typed  A-calculus  and  Cartesian  Closed  Categories  ( CCC  in  the  sequel), 
and  later,  Curien  [2]  used  Lambek’s  formalism  to  show,  that  A-terms  in  de  Bruijn’s  notation  [1]  could 
be  translated  into  CCC-terms.  This  approach  led  to  an  efficient  implementation  of  the  language  ML, 
(originally  developped  at  the  University  of  Edinburgh).  The  Categorical  Abstract  Machine  —  on  which  this 
is  based  —  performs  weak  reductions  and  takes  advantage  of  the  pairing  of  functions  and  of 
the  polymorphism  of  the  "categorical  combinators” . 

In  [4],  we  have  studied  an  implementation  of  a  functional  language  based  on  strong  reduction :  programs  are 
untyped  A-terms  internally  coded  with  de  Bruijn’s  notation,  and  its  semantics  is  given  by  the  head  normal 
form. 

In  A-calculus  theory,  substitution  is  treated  as  a  one^step  process,  and  this  is  unsuitable  for  practical  imple¬ 
mentations.  This  remark  led  us  to  study  substitution  more  carefully.  We  have  derived  various  substitution 
algorithms  from  our  algebraic  approach  which  formalize  this  process  and  improve  it. 

We  shall  introduce  an  abstract  algebra,  that  we  have  called  the  ”de  Bruijn  Algebra”  —  dBA  for  short 
which  is  directly  inspired  by  CCC  and  Curien’s  work.  This  algebra  defines  an  equational  theory  where  the 
substitution  process  is  entirely  decomposed  and  simulated  by  its  axioms.  Moreover,  we  shall  not  be  restricted 
by  typed  terms :  we  can  forget  about  typed  theory,  and  formal  computations  in  dBA  will  serve  the  untyped 
A-calculus  theory  as  well. 
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Definition 


We  give  the  “strong  rules  system”  of  [2]  (p.10)  with  our  notations  (and  name).  Then,  the  standard  substi¬ 
tution  algorithm  in  de  Bruijn’s  notation  is  recalled. 

The  de  Bruija  Algebra  is  defined  as  follows : 

0-arity  operators  (i.e.  constants) :  x,  x7 ,  id, 
unary  operators :  A. ,  #  and  + , 

binary  operators :  •  (this  dot  will  in  fact  be  ommitted)  and  o. 

If  /  6  dBA,  the  results  of  each  of  the  three  unary  operators  are  respectively  noted :  (A./),  f*  and  /+. 
With  these  notations,  the  axioms  of  dBA  are : 


(1) 

* 

o 

tl 

o» 

/ — * 

(2) 

(fog)oh  =  fo{goh) 

(3) 

(X.f)og  =  X.(fog+) 

(4) 

( fg )  O  A  =  (/  0  h)(g  O  h) 

(5) 

xo  /+  =  /ox 

(6) 

x7o/+  =  x7 

(7) 

x  o  f#  —  id 

(8) 

x*  o  f*  =  f 

(9) 

id  o  f  =  f 

(10) 

f  o  ides  f 

Some  intuitive  feeling  can  be  caught  from  CCC  :  each  of  these  axioms  are  indeed  simple  theorems  of 
CCC  theory,  o  is  borrowed  from  the  composition  of  arrows,  id  comes  from  the  identity  arrow,  x  and 
x7  correspond  respectively  to  the  first  and  second  projections  of  cartesian  categories.  If  /:  A\  —  A,,  then 
/+•  AX  x  B  -  A2  x  3  is  (f  o  x,  x7) ,  and  f*:Ax^AxxA*  is  (idA„  f).  In  a  cartesian  closed  category,  we 
have  two  maps  App:(B*)  x  A  -  B  and  A.:  (Ax  B-*C)  -*(A  -*CB),  such  that,  for  any  /:  Ax  B-.  C 
X.f  is  the  unique  map  satisfying  Appo  (A./)+  =  /•  Now,  if  is  defined  as  Appo  {/>£)»  (  1* 

(4)  above  are  easy  consequences  of  these  definitions.  For  example,  let’s  first  notice  that  /  °  9  —  \L9) 

and  /+aj+s(/o  $)+  in  any  CCC,  then  /  o  g*  =  App  o  (A ./)+  o  g#  =  App  o  (A .f,g)  =  (A .f)g,  and 
fog+=Appo(\.f)+og+=Appo({\.f)og)+  *  (A./)  og  =  A.(/o,+),  by  unicity. 


REMARK :  In  dBA  we  could  not,  for  example,  deduce  (4)  from  the  other  axioms,  contrasting  with  tfie  proof 
in  a  cartesian  closed  category  using  uniqueness  of  (f,g)  =  h  such  that  xoA  =  /andx/oh~  g.  The 
same  is  true  for  (3),  which  must  be  taken  here  as  an  axiom.  Our  equational  theory  is  weaker  than  C 
theory  (which  is  of  course  not  equational)  but  strong  enough  for  A-calculus  purpose,  as  we  shall  see  shortly. 
Moreover,  we  have  eliminated  all  couples  explicitly  since  they  are  not  present  either  in  A-calculus. 


When  the  integer-coded  bound  variable  n  is  interpreted  by  x7  o  x  o  •  •  •  o  x  (with  n  copies  of  x),  as  m  [2], 
a  A-term  in  de  Bruijn’s  notation  corresponds,  without  changing  its  syntax,  to  an  element  in  dBA.  The 
image  of  A-terms  in  dBA  by  this  injective  morphism  will  be  noted  dB.  For  the  next  two  lemmas,  we  shall 

introduce  some  more  notations : 


NOTATIOSS :  («)  (/#)+  =  /#+,  (/+)+  =  /++  etc.  and  /#+  +  =  /W,  if  there  are  k  copies  of  +  (in 

particular  fW  =  f*  )• 

(«)  (x',)+  -+  =xd’k  (k  copies  of  +). 


LEMMA.  With  the  preceding  notations,  for  all  k  >  0  and  n  >  0,  we  have  : 


ao/W 


■\h 


if  n  <  fc, 
if  n  =  fc, 
if  n>  k. 


Lemma.  For  any  f€dB  and  any  integer  d>  0,  the  term  fox*  can  he  reduced  to  a  term  gedB  by  the 
following  rules : 

(A./)ojr**  =  A.(/o**‘+1), 

(/1/2)  o  xd'k  =  (/1  o  *d‘l)(f2  o  Xd'k), 

j  jt  /  £  if  n  <  k, 

aOX’=lZL±i  *•/«>*• 

It  is  easily  checked  that,  for  any  f£dB,  the  new  term  produced  by  the  reduction  of  /  o  *"  is  identical  to 
/  except  for  the  free  variables  which  are  all  recoded  by  increasing  their  code  by  n. 

By  definition,  substitution  of  a  dB-term  g  in  an  other  dB-term  f  consists  in  reducing  fog*. 

We  have  the  following  main  result : 

THEOREM.  If  AT  and  N  are  two  A-terms,  and  M  and  N  their  respective  counterparts  in  dBA,  then : 
dBA\-M  =  N  <=»  AhM  =  JV 


Substitution  improved 

We  shall  show  how  to  prove  the  correctness  of  two  optimisations  of  the  standard  substitution  algorithm  with 
the  help  of  dBA.  In  fact,  from  equalities  in  dBA,  we  get  the  recursive  algorithms  we  are  looking  for. 

1  —  Parallel  substitution 

We  want  to  get  here  an  algorithm  for  parallel  substitution. 

NOTATIONS :  for  k>  0,  let  =  yi***-^  o  •  •  •  o  5^. 

Lemma,  (i)  (A l.f)gig2  •  •  •  gi  =  /° 


(H) 

(A./)off«  = 

(iii) 

{fih)°9W 

=  (/i  0  J[**)(/a 

0  ?W), 

[ 

n 

if  n  <  k, 

(iv) 

=  < 

gt-n+k  0  *k 

if  k<n  <k  +  l 

l 

n  —  l 

if  n>  k  +  £. 

(i)  shows  what  we  want  to  compute  and  is  easily  checked,  (ii),  (iii)  and  (iv)  give  a  deterministic  algorithm, 
when  interpreted  by  rewrite  rules  (orienting  equalities  from  left  to  right)  on  dB  :  only  one  of  the  three  rules 
can  be  applied  to  a  given  dB- term,  depending  on  its  structure  (i.e  abstraction,  application,  or  variable). 


2  —  Labelled  substitution 


Out  aim  is  to  delay  the  recoding  of  the  free  variables  of  a  substituted  argument  (this  recoding  is  necessary 
in  the  standard  algorithm),  so  that  sharing  can  be  acheived. 

We  are  going  to  define  substitution  on  a  larger  subset  of  dBA  than  dB.  Indeed,  udB -terms  not  yet  recoded 
are  of  the  form  fox*,  with  f  edB  and  d  >  0.  These  terms  will  be  called  “labelled  terms”  and  the  subset 
of  dBA  they  form  will  be  noted  IdB.  In  dB,  redexes  are  simply  (A./)j,  now  we  have  to  consider  also  those 
of  the  form  ((A./)  o  rfg.  The  new  substitution  will  perform  at  the  same  time  the  recoding  of  (A./)  and 
the  substitution  of  the  argument  g.  Moreover,  recoding  of  g  will  not  be  computed,  but  delayed. 

NOTATIONS :  (i)  (xd)+  og*  =  gW  , 

(it)  gWk  ss  jM+'"+  if  there  are  k  copies  of  +. 


Lemma,  (i)  ((A./) o xd)g  =  f  ogW, 

(ii)  (/x/aW(<,,t  =  (/x  °  gWk)(f7°gWi), 
(Hi)  (A./)  °  =  A.(/o  3(dK*+1)), 


(iv) 


no,M‘=  | 

[» 

g  oTn 
|n+d-l 

<,<<*>*  = 

f  glW-f) 

1V+*-1 

if  n  <  k, 
if  n  =  k, 
if  n  >  k, 

o/  if  d?  <  k, 
if  <f  >  k. 


Again,  from  these  equalities  converted  into  a  term  rewriting  system  on  IdB  ,  we  get  a  substitution  algorithm 
on  labelled  terms.  The  last  case  (v)  shows  how  to  deal  with  substitution  into  a  labelled  term,  say  fox  : 
if  the  label  cf  is  greater  than  the  depth  k  where  g  is  to  be  substituted,  it  is  clear  that  there  will  be  no  free 
variable  with  a  code  equal  to  k  and  consequently  no  occurrence  where  to  substitute  g,  hence,  in  that  case, 
we  get  a  simple  result  viz.  xd+d>~1  (as  it  can  be  checked). 

REMARK :  The  two  algorithms  could  be  mixed  to  produce  a  “parallel  and  labelled  substitution  (see  [4]). 


Conclusion 

We  have  presented  an  abstract  algebra,  the  de  Bruijn  Algebra,  which  contains  the  set  of  A-terms  in  de 
Bruijn’s  notation,  and  also  other  interesting  terms  like  the  so-called  “labelled  (de  Bruijn)  terms”.  The  sub¬ 
stitution  process  can  be  investigated  in  great  details  with  this  algrebraic  approach.  We  have  indicated  how 
various  substitution  algorithms  can  be  deduced  from  the  standard  one  and  how  to  improve  it.  Other  results 
converging  to  an  efficient  implementation  of  A-calculus  can  be  found  in  [4].  They  are  based  on  the  notion 
of  relocalisation  of  redexes,  which  allows  to  interpret  the  integer  codes  of  the  variables  as  offset-addresses  in 
a  stack  of  arguments  and  prove  the  correctness  of  abstract  machines. 

Finally,  let’s  mention  that  if  one  is  interested  by  q-reduction,  the  following  axiom  would  have  to  be  consid¬ 
ered  :  A .(/  o  x)x>  =  /. 
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A  Game  Characterization  of  the  Observational  Equivalence  of  Processes 

(Extended  Abstract) 

M.  Halit  Oguztuzun 
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Iowa  City,  IA  52242 

This  preliminary  work  is  concerned  with  the  characterization  of  the  observational  equiv¬ 
alence  of  processes  in  model-theoretic  terms.  First,  the  Ehrenfeucht  game  is  extended  by 
introducing  a  condition  of  “compatibility”,  and  then  it  is  shown  that  the  equivalence  in¬ 
duced  by  the  extended  game  with  an  appropriate  notion  of  compatibility  coincides  with 
observational  equivalence.  Second,  a  subclass  of  first-order  languages  is  defined  by  “trans¬ 
lating”  this  specific  compatibility  notion  into  a  syntactical  constraint.  It  is  conjectured  that 
the  language  thus  obtained  corresponds  to  the  extended  game  in  the  sense  that  a  first-order 
language  corresponds  to  the  original  game. 

The  Ehrenfeucht  game  is  played  by  two  players,  Player  I  and  Player  n,  given  two  similar 
(relational)  structures,  ^=<A,{i2,|t  €1}  >  and  S=<B,{S,|*  el}  >  where  I  is  some  index 
set.  With  A  [resp.B]  we  associate  a  reflexive  relation,  C&  [resp.Cg]  on  A  [resp.B].  We 
call  them  the  compatibility  relations.  Let  n  be  a  fixed  natural  number.  We  then  denote 
the  extended  Ehrenfeucht  game  by  Gn(>l  ,<7*  ,B,Cs).  A  play  of  this  game  consists  of  n 
rounds,  each  of  which  is  played  as  follows.  First,  Player  I  chooses  an  element  of  either 
A  or  B.  In  response,  Player  II  picks  an  element  of  the  other  structure.  Each  element 
must  be  “compatible”  with  the  element  chosen  from  that  set  at  the  previous  round.  More 
precisely,  let  c,  be  the  element  of  A  [or  B]  chosen  at  round  i .  In  the  next  round,  for  any 
player  to  choose  an  element  c,-+i  of  A  [resp.B],  CiCjiCi+i  [resp.c,-GaCi+i]  must  hold.  At  the 
end  of  the  play,  we  have  <  oi,...,on  >,  the  sequence  of  elements  chosen  from  A,  and 
<  b\, ...  ,bn  >,  the  sequence  of  elements  chosen  from  B.  Player  II  wins  the  play  of  the  game 
iff  the  correspondence  between  a,-  and  ft**  (i  =  1, . . . ,  n)  is  an  isomorphism  with  respect  to 
the  relations  of  A  and  B .  Otherwise  Player  I  wins. 

We  define  a  relation  on  similar  structures  by  Player  II  having  a  winning  strategy.  This 
turns  out  to  be  an  equivalence  relation.  More  precisely,  let  A  and  B  be  two  similar  structures. 
We  say  that  A  is  G n- equivalent  to  B  (w.r.t.  and  Cs)  iff  Player  II  has  a  winning  strategy 
in  the  game  Gn(A,C/,B,Cs).  We  say  that  A  is  G- equivalent  to  B  iff  A  is  Gn-equivalent  to 
B  for  all  n  (given  C*  and  Cs). 

We  model  a  process  as  a  synchronization  tree  (st).  An  at  is  a  rooted,  unordered,  la¬ 
belled,  finitely-branching  tree  [4].  We  can  view  an  st  as  the  unfolding  of  a  nondeterministic 
state  transition  system  with  “silent”  moves.  Formally,  we  represent  an  st  A  as  a  structure 
A=<A,{Rfl\fi  €  A;  r},  ao  >, where  A  is  a  countable  set  (of  nodes,  or  states),  A  is  a  finite  set 
(of  labels)  and  r  ^  A,  £„  (p  €  A;  r)  are  binary  relations  on  A  (arcs,  or  transitions),  and 
ao  €A  (the  root,  or  initial  state).  ( Notation :  A;r  =  Au{r}.)  The  silent  transition  Rr  has 
to  be  reflexive.  So  we  have  a  self-loop  labelled  r  at  each  node. 

We  define  the  observational  equivalence  on  sts  (denoted  »)  as  follows. 

Let  two  sts  A  and  B  be  given  as  above.  Then,  let  be  the  closure  of  R^  under  left  and 
right  relational  compositions  with  Rr,  for  fi  6  A;r.  We  identify  an  st  with  its  root.  Now 
the  definition: 


A  »o  B.  A  «*+i  B  iff 

(i)  A^A'  implies  and  A'wtB'  for  some  0;  and 

(ii)  B^Bf  implies  A=>MA'  and  A,«*B'  for  some  A'. 

A»B  iff  for  all  k  A#»fcB. 

Given  two  s£s  A  and  B,  we  consider  the  game  G»(^,''«m,B,/'*s)  where 
A=<A,  |/x  €  A;r}  >  where  =►**  is  defined  as  above  (/i  €  A;r),  and  the  compatibility 

relation  is  defined  as  U^r  =>#1-  Similarly,  we  define  B  and  for  B. 

Theorem:  Given  two  synchronization  trees  A  and  B.  A  w  B  iff  the  structures  A  and  B 
defined  above  are  G-equivalent  (w.r.t.  ^a  and  ^s)* 

Now,  consider  a  first-order  language  £  with  a  finite  number  of  two-place  predicate  sym¬ 
bols  and  a  constant  symbol,  without  equality.  The  predicate  symbols  are  to  be  interpreted 
as  relations  =>**  (/*  €  A;r),  and  the  constant  symbol  is  to  be  interpreted  as  the  root.  Let 
<p  be  a  formula  of  £  which  is  not  tautologically  false.  Consider  a  formula  <p'  of  £  which  is 
logically  equivalent  to  <p  and  in  the  prenex-disjunctive  normal  form.  Let  ^  be  a  disjunct  of 
the  matrix  of  <p’.  Define  a  relation  on  the  set  of  variables  and  the  constant  symbol  as 
follows:  x  y  iff  V*  l13®  an  atomic  formula  Pxy  or  the  negation  of  it  as  a  conjunct.  If 
is  merge-free  for  every  disjunct  tj)  of  the  matrix  then  we  call  <p  special  If  <p  is  tautologically 
false  then  we  take  it  as  special.  (We  call  a  binary  relation  R  merge-free  iff  xRz  and  yRz 
implies  *  =  y.)  The  subset  £.  of  £  is  defined  so  that  the  formulas  of  £,  are  exactly  the 
special  formulas  of  £.  We  say  that  two  structures  A  and  B  are  elementarily  equivalent  w.r.t. 
£*  iff  for  any  closed  formula  a  of  £*,  A  satisfies  a  iff  B  satisfies  <x . 

Conjectures  Let  A  and  B  be  two  similar  structures  having  a  finite  number  of  binary 
relations.  Let  their  respective  compatibility  relations,  rKj*A  and  be  defined  as  above.  A 
and  B  are  G-equivalent  iff  they  are  elementarily  equivalent  w.r.t.  £,. 

Related  Work:  The  idea  of  observational  equivalence  is  prevalent  in  Milner’s  work  on  the 
Calculus  of  Communicating  Systems,  see,  e.g.  [4,5].  The  definition  we  adopt  here  is  called 
the  “weak  observational  equivalence*  in  [l].  This  reference  is  a  comparative  study  of  several 
operational  and  logical  notions  of  process  equivalence.  Hennessy  and  Milner  [3]  proposed 
a  modal  language  to  characterize  observational  equivalence.  The  game  characterization  of 
the  elementary  equivalence  of  similar  Unitary  structures  is  due  to  Ehrenfeucht  [2]. 
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Abstract:  In  this  paper  we  consider  branching  time  semantics  for  finite  sequential  processes 
with  silent  moves.  We  show  that  Milner's  notion  of  observation  equivalence  is  not  preserved 
under  refinement  of  actions,  even  when  no  interleaving  operators  are  considered;  however, 
the  authors'  notion  of  branching  bisimulation  is. 
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INTRODUCTION 

Virtually  all  semantic  equivalences  employed  in  theories  of  concurrency  are  defined  in  terms  of  actions  that 
concurrent  systems  may  perform  (cf.  [1-7]).  Mostly,  these  actions  are  taken  to  be  atomic,  meaning  that 
they  are  considered  not  to  be  divisible  into  smaller  parts.  In  this  case,  the  defined  equivalences  are  said  to 
be  based  on  action  atomicity. 

However,  in  the  top-down  design  of  distributed  systems  it  might  be  fruitful  to  model  processes  at  different 
levels  of  abstraction.  The  actions  on  an  abstract  level  then  turn  out  to  represent  complex  processes  on  a 
more  concrete  level.  This  methodology  does  not  seem  compatible  with  non-divisibility  of  actions  and  for 
this  reason,  PRATT  [7],  LAMPORT  [4]  and  others  plead  for  the  use  of  semantic  equivalences  that  are  not 
based  on  action  atomicity. 

As  indicated  in  Castellano,  DE  MlCHEUS  &  POMELLO  [2],  the  concept  of  action  atomicity  can  be 
formalised  by  means  of  the  notion  of  refinement  of  actions.  A  semantic  equivalence  is  preserved  under 
action  refinement  if  two  equivalent  processes  remain  equivalent  after  replacing  all  occurrences  of  an  atomic 
action  a  by  a  more  complicated  process  r(a).  In  particular,  r(a)  may  be  a  sequence  of  two  actions  ai 
and  a2.  An  equivalence  is  strictly  based  on  action  atomicity  if  it  is  not  preserved  under  action  refinement 
In  a  previous  paper  [3]  the  authors  argued  that  Milner's  notion  of  observation  equivalence  [5]  does  not 
respect  the  branching  structure  of  processes,  and  proposed  the  finer  notion  of  branching  bisimulation 
equivalence  which  does.  In  this  paper  we  moreover  find,  that  observation  equivalence  is  not  preserved 
under  action  refinement,  whereas  branching  bisimulation  equivalence  is. 


1.  Process  graphs 

As  a  simple  model,  let  us  represent  a  process  by  a  state  transition  diagram  or  process  graph.  Such  a  graph 
has  a  node  for  every  one  of  the  possible  states  of  the  process,  and  has  arrows  between  nodes  to  indicate 
whether  or  not  a  state  is  accessible  from  another.  Furthermore,  these  arrows  (directed  edges)  are  labelled, 
with  labels  from  Au{t) ,  where  A  =  {a,b,c,... }  is  some  set  of  observable  signals,  and  %  stands  for  a  silent 
step  (cf.  [5]). 


DEFINITION  l.i  A  process  graph  is  a  connected,  rooted,  edge-labelled  and  directed  graph. 

In  an  edge-labelled  graph,  one  can  have  more  than  one  edge  between  two  nodes  as  long  as  they  carry 
different  labels.  A  rooted  graph  has  one  special  node  which  is  indicated  as  the  root  node.  Graphs  need  not 
be  finite,  but  in  a  connected  graph  one  must  be  able  to  reach  every  node  from  the  root  node  by  following  a 
finite  path.  If  r  and  s  are  nodes  in  a  graph,  then  r->as  denotes  an  edge  from  r  to  s  with  label  a  (it  is 
also  used  as  a  proposition  stating  that  such  an  edge  exists).  In  this  paper  we  limit  ourselves  to  processes 
represented  by  finite,  non-trivial  process  graphs.  A  graph  is  finite  if  it  is  acyclic  and  contains  only  finitely 
many  nodes  and  edges;  it  is  trivial  if  it  contains  no  edges  at  all.  The  set  of  non-trivial,  finite  process  graphs 
will  be  denoted  by  G. 

In  order  to  turn  G  into  an  algebraic  structure,  it  is  possible  to  define  binary  operators  '+'  and  for 
alternative  and  sequential  composition.  For  any  two  graphs  g  and  h  the  process  graph  (g  +  h)  is 
obtained  by  simply  identifying  their  root  nodes,  whereas  (g-h)  -  often  written  as  just  (gh)  -  can  be  found 
by  identifying  the  root  node  of  h  with  all  endnodes  of  g.  Furthermore,  constants  from  Au{t}  are 
interpreted  as  one-edge  graphs,  carrying  the  constant  as  their  edge-label.  The  algebraic  structure  allows  us 
to  study  equational  theories  that  emerge  from  any  defined  equivalence  on  G.  For  instance,  in  branching 
time  semantics,  one  often  considers  observation  congruence  (cf.  MILNER  [5])  -  written  as  =c  -  as  a 
deciding  criterion  for  equality  in  observable  behaviour.  Let  us  write  r  =>  r1  for  a  path  from  r  to  r1 
consisting  of  an  arbitrary  number  (50)  ofx-edges.  Then  its  definition  can  be  rephrased  as: 

DEFINITION  1.2  Two  graphs  g  and  h  are  observation  equivalent  if  there  exists  a  symmetric  relation 
R  c  nodes(g)xnodes(h)  u  nodes(h)xnodes(g)  (called  a  % -bisimulation)  such  that: 

1.  The  roots  are  related  by  R. 

2.  IfR(r,s)and  r-^r*  (a€  Au{x}),  then  either  a=x  and  R(r'.s),  or  there  exists  a  path 
s  =>  si  — >a  S2  =>  s’  such  that  R(r’,s’). 

Furthermore,  g  and  h  are  observation  congruent  if  we  also  have  that 

3.  (root  condition)  Root  nodes  are  related  with  root  nodes  only. 

The  root  condition  was  first  formulated  by  BERGSTRA  &  Klop  [1],  and  serves  to  turn  the  notion  of 
observation  equivalence  into  a  congruence  with  respect  to  the  operators  +  and  *.  It  can  be  proved  that 
observation  equivalence  and  observation  congruence  are  equivalence  relations  on  G,  and  that  the  latter  is 
the  coarsest  congruence  contained  in  the  former  (cf.  [5,1,3]).  It  was  shown  in  [1]  that  with  respect  to 
dosed  terms  the  model  G/=c  is  completely  axiomatized  by  the  theory 


x+y=y+x 

A1 

s 

II 

X 

T1 

x  +  (y  +  z)  =  (x  +  y)  +  z 

A2 

TX  =  TX  +  X 

T2 

x  +  x  =  x 

A3 

a(xx  +  y)  =  a(xx  +  y)  +  ax 

T3 

x(yz)  =  (xy)z 

A4 

(x  +  y)z  =  xy  +  xz 

A5 

(ae  Au{x}) 

The  x-laws  T1-T3  originate  from  MILNER  [5],  who  gave  a  complete  axiomatization  for  a  similar  model 
with  prefixing  instead  of  general  sequential  composition.  From  these  axioms,  it  is  easy  to  show  why  the 


notion  of  observation  congruence  is  not  preserved  under  refinement  of  actions:  replacing  the  action  a  by 
the  term  be,  we  obtain  bc(xx  +  y)  =  bc(xx  +  y)  +  bex  from  T3,  which  obviously  is  not  valid  in  G/~c.  By 
T3,  we  do  find  bc(xx  +  y)  =  b(c(xx  +  y)  +  cx)  which  unfortunately  denotes  a  different  process. 

Apart  from  the  problem  with  refinement,  it  was  observed  in  Van  Glabbeek  &  WEIJLAND  [3]  that 
observation  equivalence  does  not  strictly  preserve  the  branching  structure  of  processes.  This  is  because  an 
important  feature  of  a  bisimulation  (cf.  Park  [6])  is  missing  for  x-bisimulation,  which  is  the  property  that 
any  computation  in  the  one  process  corresponds  to  a  computation  in  the  other,  in  such  a  way  that  all 
intermediate  states  of  these  computations  correspond  as  well.  However,  in  observation  congruence,  when 
satisfying  the  second  requirement  of  definition  1.2  one  may  execute  arbitrarily  many  x-steps  in  a  graph 
without  worrying  about  the  status  of  the  nodes  that  are  passed  in  the  meantime. 

In  order  to  overcome  this  problem,  in  [3]  a  different  notion  was  introduced,  which  yields  a  finer 
equivalence  cm  graphs. 

DEFINITION  1.3  Two  graphs  g  and  h  are  branching  equivalent  if  there  exists  a  symmetric  relation 
R  c  nodes(g)xnodes(h)  u  node(h)xnodes(g)  (called  a  branching  bisimulation)  such  that: 

1.  The  roots  are  related  by  R 

2.  IfR(r,s)and  r-»ar’  (ae  Au{x}),  then  either  a=x  and  R(i'.s),  or  there  exists  a  path 
s  =*  si  — »a  s’  such  that  R(r,si)  and  R(r',s’). 

Furthermore,  g  and  h  are  branching  congruent  if  we  also  have  that 

3.  (root  condition)  Root  nodes  are  related  with  root  nodes  only. 

Let  us  write  R:  g  t±b  h  if  R  is  a  branching  bisimulation  between  g  and  h  and  R:  g  t±rb  h  if,  in  addition,  R 
satisfies  the  root  condition.  One  can  prove  that  the  same  equivalence  is  defined  when  in  definition  1.3  all 
intermediate  nodes  in  s  =>  si  are  required  to  be  related  with  r.  Furthermore,  observe  that  a  branching 
bisimulation  can  also  be  defined  as  in  definition  1.2,  with  as  extra  requirements  that  R(r,si)  and  RCr'.si). 

It  can  be  proved  that  branching  equivalence  and  branching  congruence  are  equivalence  relations  on  G. 
Furthermore,  the  latter  is  the  coarsest  congruence  contained  in  the  former.  It  was  shown  in  [3]  that  with 
respect  to  closed  terms,  the  model  G/t**  is  completely  axiomatized  by  the  axioms  A1-A5  together  with 

xx  =  x  B1 

x(x(y  +  z)  +  y)  =  x(y  +  z)  B2. 

Note  that  the  axioms  B1-B2  when  applied  from  left  to  right  only  eliminate  occurrences  of  x's.  Using  this 
property,  it  can  be  shown  that  the  associated  term  rewriting  system  on  G/s ai-A5»  i-e-  G  modulo  equality 
induced  by  the  axioms  A1-A5,  is  confluent  and  terminating.  So  any  two  closed  branching  congruent  terms 
can  be  reduced  to  the  same  normal  form. 


2.  REFINEMENT 

In  this  section  we  will  prove  that  branching  congruence  is  preserved  under  refinement  of  actions,  and  so  it 
allows  us  to  look  at  actions  as  abstractions  of  much  larger  structures.  Consider  the  following  definitions. 


Definition  2.1  (substitution) 

Let  n  A  G  be  a  mapping  from  observable  actions  to  graphs,  and  suppose  g eG.  Then,  the  graph 
r(g)  can  be  found  as  follows. 

For  every  edge  r-»a  t  (aeA)in  g,  take  a  copy  i£al  of  r(a)  (e  G).  Next,  identify  r  with  the  root 
node  of  rial,  and  t  with  all  endnodes  of  r£al.  and  remove  the  edge  r  -»a  r'. 


Note  that  in  this  definition  it  is  never  needed  to  identify  r  and  r\  since  graphs  from  G  are  non-trivial. 
This  way,  the  mapping  r  is  defined  on  the  domain  G.  Note  that  since  A,  x-edges  cannot  be  substituted 
by  graphs.  Finally,  observe  that  every  node  in  g  is  a  node  in  r(g). 

DEFINITION  22  (preservation  under  refinement  of  actions) 

An  equivalence  »  on  G  is  said  to  be  preserved  under  refinement  of  actions  if  for  every  mapping 
n  A  — ►  G,  we  have:  g*h  =>  r(g)»r(h). 

In  other  words,  an  equivalence  *  is  preserved  under  refinement  if  it  is  a  congruence  with  respect  to  every 
substitution  operator  r. 

Starting  from  a  relation  R:  g  t*rb  h,  we  construct  a  branching  bisimulation  relation  r(R):  r(g)  t±rb  hh), 
proving  that  preserving  branching  congruence,  every  edge  with  a  label  from  A  can  be  replaced  by  a  graph. 

Definition  2.3  Let  n  A  — »  G  be  a  mapping  from  observable  actions  to  graphs,  gh€  G  and  R:  g  ±*rb  h. 
Now  r(R)  is  the  smallest  relation  between  nodes  of  r(g)  and  r(h),  such  that: 

1.  RcifR). 

2.  If  r  -»a  r1  and  s  — »a  s'  (ae  A)  are  edges  in  g  and  h  such  that  R(r,s)  and  Rfr'.s'),  and  both  edges 
are  replaced  by  copies  j£al  and  r^aj  of  r(a)  respectively,  then  nodes  from  ifal  and  r(a)  are 
related  by  r(R),  only  if  they  are  copies  of  the  same  node  in  r(a). 

Edges  r  -»a  i*  and  s->a  s’  (a€  A)  such  that  R(r,s)  and  R(i',s’),  will  be  called  related  by  R,  as  well  as  the 
copies  ifa)  and  iTa)  that  are  substituted  for  them.  Observe,  that  on  nodes  from  g  and  h  the  relation 
r(R)  is  equal  to  R.  Note  that  if  r(R)(r,s),  then  r  is  a  node  in  g  iff  s  is  a  node  in  h. 

THEOREM  (refinement) 

Branching  congruence  is  preserved  under  refinement  of  actions. 

PROOF  We  prove  that  R:  gt*it>h  =>  r(R):  r(g)  tarb  r(h)  by  checking  the  requirements. 

1.  The  root  nodes  of  r(g)  and  r(h)  are  related  by  r(R). 

2.  Assume  r(R)(r,s)  and  in  r(g)  there  is  an  edge  r  ->a  f.  Then  there  are  two  possibilities  (similarly  in 
case  r-*a  r1  stems  from  r(h)): 

(i)  The  nodes  r  and  s  originate  from  g  and  h.  Then  R(r,s),  and  by  the  construction  of  r(g)  we  find 
that  either  a=x  and  r  r*  was  already  an  edge  in  g,  or  g  has  an  edge  r  ->b  r*  and  r  -*a  r1  is  a 
copy  of  an  initial  edge  from  r(b).  In  the  first  case  it  follows  from  R:  g  **rb  h  that  either  R(r*,s)  -  hence 
rCRXr'.s)  -  or  in  h  there  is  a  path  s  =>  si  -»'*  s’  such  that  R(r,si)  and  R(r',s').  By  definition,  the  same 
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path  also  exists  in  r(h),  and  we  have  r(R)(r,si)  and  rtRXr'.s').  In  the  second  case  there  must  be  a  path 
s  =>  si  -»b  s*  in  h  such  that  R(r,si)  and  R(r*,s*).  Then,  in  r(h)  we  find  a  path  s  =>  si  -»a  s’  (by 
replacing  ->b  by  r(b))  such  that  r(R)(r,si)  and  r(R)(r',s'). 

(ii)  The  nodes  r  and  s  originate  from  related  copies  rflj)  and  r(b)  of  a  substituted  graph  r(b)  (for 
some  be  A),  and  are  no  copies  of  root  or  endnodes  in  r(b).  Then  r  — »a  r1  is  an  edge  in  rfb~).  From 
r(R)(r,s)  we  find  that  r  and  s  are  copies  of  the  same  node  from  r(b).  So,  there  is  an  edge  s-»as'  in 
r(b)  where  s’  is  a  copy  of  the  node  in  r(b),  corresponding  with  r1.  Clearly  r(R)(r’,s'). 

3.  Since  for  nodes  from  g  and  h  we  have  r(R)(r,s)  iff  R(r,s),  the  root  condition  is  satisfied.  □ 

With  respect  to  closed  terms,  the  refinement  theorem  can  be  proved  much  easier  by  syntactic  analysis  of 
proofs,  instead  of  working  with  equivalences  between  graphs.  For  observe  that  the  axioms  A1-A5  +  Bl- 
B2,  that  form  a  complete  axiomatization  of  branching  congruence  for  closed  terms,  do  not  contain  any 
occurrences  of  (atomic)  actions  from  A.  Now  assume  we  have  a  proof  of  some  equality  s=t  between 
closed  terms,  then  this  proof  consists  of  a  sequence  of  applications  of  axioms  from  A1-A5  + 
B1-B2.  Since  all  these  axioms  are  universal  equations  without  actions  from  A,  the  actions  from  s  and  t 
can  be  replaced  by  general  variables,  and  the  proof  will  still  hold.  Hence,  every  equation  is  an  instance  of  a 
universal  equation  without  any  actions.  Immediately  we  find  that  we  can  substitute  arbitrary  closed  terms 
for  these  variables,  obtaining  refinement  for  closed  terms. 

Nevertheless,  the  semantic  proof  of  the  refinement  theorem  is  important  as  one  may  wish  to  generalize  the 
result  to  models  of  larger  graphs  than  just  finite  ones  from  G. 
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Dialectical  Program  Semantics 
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Robert  E.  Kent 


Introduction 

Dynamic  logic  [Kozen]  seeks  to  bring  dynamic  notions  into  logic  and  program  semantics  by  basing  this  se¬ 
mantics  and  logic  on  the  notion  of  “predicate  transformer* .  The  alternate  program  semantics  of  Hoare-style 
“precondition/postcondition  assertions"  is  usually  viewed  as  a  special  case  of  dynamic  logic.  Dialectical 
logic  (Kent]  seeks  to  bring  dynamic  notions  into  logic  by  basing  logic  (Lawverej  on  the  notion  of  “dialectical 
contradiction”  or,  adjoint  pair.  How  do  these  three  logics  connect  together?  This  paper  will  show  that 
dynamic  logic  and  Hoare-style  precondition/postcondition  assertional  semantics  are  exactly  equivalent,  and 
that  dialectical  logic  subsumes  both  in  the  sense  that  “dynamic  logic  is  the  standard  aspect  of  dialectical 
logic”.  More  particularly,  I  show  in  this  paper  that  the  axioms  of  dynamic  logic  (or  alternatively,  precon¬ 
dition/postcondition  assertional  axioms)  characterize  precisely  the  dialectical  logic  notion  of  dialectical  flow 
category  (or  alternatively,  aesertional  category,  a  notion  related  but  not  equivalent  to  Manes’s  assertional 
category  [Manes]).  A  dialectical  flow  category  is  a  kind  of  indexed  adjointness  or  dialectical  base  which  itself 
is  a  dialectical  enrichment  of  the  notion  of  indexed  preorder  [Hyland].  In  fact,  a  dialectical  flow  category  is  an 
indexed  adjointness  of  subtypes  which  is  locally  cartesian  closed.  The  indexing  category  here  is  the  enriched 
notion  of  a  join  bisemilattice  [Kentj.  Dialectical  flow  categories  objectivize  the  intuitive  idea  of  predicate 
transformation  or  the  “dialectical  flow  of  predicates” . 


Assertional  and  Flow  Categories 

In  this  section  we  discuss  the  semantic  structures  appropriate  for  dialectical  program  semantics.  The  natural 
axiomatization  indicated  by  these  semantic  structures,  which  is  an  alternate  axiomatization  of  dynamic  logic 
and  expressed  principally  in  terms  of  adjunctions,  will  be  given  in  the  full  paper. 

A  biposet  is  another  name  for  an  ordered  category;  that  is,  a  category  P  =  (P,  ®,Id)  whose  homsets 

are  posets  under  term  entailment  ^  and  whose  composition  ®  called  tensor  product  is  monotonic  on  left 
and  right.  We  prefer  to  view  biposets  as  vertical  structures,  preorders  with  a  tensor  product,  rather  than 
as  horizontal  structures,  ordered  categories.  The  structural  aspect  of  the  semantics  of  dialectical  logic  is 
defined  in  terms  of  bisemilattices.  A  join  bisemiiattice  or  semiezact  biposet  P  =  {(P,  :<,®,ld},®,0)  is  a 
biposet  whose  homsets  are  finitely  complete  join-semilattices  with  ,/<?**«  terms  s®  r  and  bottom  term  and 
whose  composition  (tensor  product)  is  finitely  join-continuous.  P-objects  are  called  types  and  P-arrows  are 
called  terms .  Any  distributive  lattice  is  a  one-object  join  bisemiiattice,  where  tensor  product  coincides  with 
lattice  meet  #  ®  r  =  *  A  r.  A  morphism  of  join  bisemilattices  P  — ►  Q  is  a  functor  which  preserves  homset 
order  and  finite  homset  joins.  A  complete  Heyting  category ,  abbreviated  cHc ,  is  the  same  as  a  complete  join 
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bisemilattice;  that  is,  a  join  bisemilattice  H  whose  homsets  are  complete  join  semilattices  (arbitrary  joins 
exist)  and  whose  tensor  product  is  join  continuous  (completely  distributive  w.r.t.  joins).  Since  the  homset 
Hf  x,  2}  is  a  complete  lattice,  and  left  tensor  product  r®  is  continuous,  it  has  (and  determines)  a  right  adjoint 
r  ®  t  tiff*  <m,*  r-\t  called  left  tensor  implication.  Similarly,  the  right  tensor  product  ®r  has  (and 
determines)  a  right  kdjoint  t  ®  r  <x,a  ,  iff  t  <z,t  tf-r  called  right  tensor  implication.  The  category  Rel 
(also  denoted  Mfti)  of  sets  and  binary  relations  (multivalued  functions)  is  a  cHc.  Given  an  alphabet  A, 
the  category  of  formal  ^-languages  ?{A*)  is  a  one-object  cHc  (complete  Heyting  monoid),  whose  terms  are 
formal  languages,  whose  tensor  product  is  language  concatenation,  and  whose  identity  is  singleton  empty 
string  {«}.  More  generally,  every  biposet  P  has  an  associated  closure  subset  category  P( P)  which  is  a  cHc: 
objects  are  P-types,  arrows  are  subsets  of  P-terms  y*x  when  R  C  P[y,x],  and  homset  order  is  the  closed- 
below  order  S  <  R  when  5  C  I  (R).  Since  every  category  C  is  a  biposet  with  the  identity  order  on  homsets, 
the  subset  construction  P(C)  is  a  special  case  of  the  closure  subset  construction.  # 

For  any  type  *  in  a  join  bisemilattice  P  a  comonoid  u  at  x,  denoted  by  u:x,  is  an  endoterm  *  -  * 
which  satisfies  “coreflexivity"  u  <a*  x,  stating  that  u  is  a  “  subpart*  of  the  type  (identity  term)  x,  ana 
“cotransitivity*  u  u  ®  u.  Since  u  ®  u  <  1  ®  u  =  u,  we  can  replace  the  cotransitivity  condition  with 
the  equality  u  ®  u  =  u,  which  states  that  u  is  an  “idempotent"  term  at  type  x.  Comonoids  are  generalized 
subtypes.  Comonoids  of  type  x  are  ordered  by  entailment  <a=<a,x.  The  bottom  endoterm  0,  =  0,.,  is  the 
smallest  comonoid  of  type  x.  The  join  v  ©  u  of  any  two  comonoids  v:x  and  u:x  of  type  x  is  also  a  comonoid 
of  type  x.  Denote  the  join  semilattice  of  comonoids  of  type  x  by  Q(x).  [Standardlaatlon  property:]  O(x) 
is  closed  under  tensor  product;  in  feet,  O(x)  is  a  lattice,  with  the  tensor  product  v  ®  u  of  two  comonoids 
v,u€fl(x)  being  the  lattice  meet  in  0(x),  and  the  tensor  product  identity  (or  type)  endoterm  x  being  the 
largest  comonoid  of  type  x.  Furthermore,  the  meet  distributes  over  the  join.  This  standardization  property 
means  that  the  local  contexts  (monoidal  semilattices)  of  comonoids  (0(x)  I  x  a  type}  are  standard  contexts 
(distributive  lattices),  and  shows  why  propositions  (interpreted  as  comonoids)  and  programs  (interpreted 
as  terms)  are  subsumed  by  a  single  concept.  In  subset  categories  P{ C)  a  comonoid  of  type  x  is  either  the 
empty  endoterm  x-tior  the  identity  singleton  x  {A}  x,  and  these  can  be  interpreted  as  the  truth-values 
false  and  true,  so  that  Q(x)  is  the  complete  Heyting  algebra  0(x)  —  2. 

A  Hoare  triple  or  Hoare  assertion  o:y  ±  u:x  in  a  join  bisemilattice  P,  denoted  traditionally  although 
imprecisely  by  {v}r{u},  consists  of  a  “flow  specifying"  P-term  y  ^  x  and  two  P-comonoids,  a  “precondition" 
or  source  comonoid  veO(y)  and  a  “postcondition*  or  target  comonoid  u€fl(x),  which  satisfy  the  “precondi¬ 
tion/postcondition  constraint"  v®r  <  r® u.  Composition  ofHoare  triples  {u/}»{t/}®{v}r{u}  =  {w}(»€>r){u} 
is  well-defined  and  {u}x{u}  is  the  identity  Hoare  triple  at  the  comonoid  u:x.  Also,  there  is  a  zero  triple 
{v}07)*{u}  for  any  precondition  t>€fl(y)  and  postcondition  uGQ(x),  and  if  {«}r{u}  and  M*{«}  are  two 
triples  with  the  same  precondition  and  postcondition  then  {v}(r  $  e){u}  is  also  a  triple.  So  typed  comonoids 
as  objects  and  Hoare  triples  as  arrows  form  a  join  bisemilattice  #(P)  called  the  Hoare  asserUonal  category 
over  P.  There  is  an  obvious  underlying  type/term  functor  M(P)  P  which  is  a  morphism  of  join  bisemi¬ 
lattices.  For  each  type  x  in  P,  the  fiber  over  x  is  the  subcategory  Tpl{x)  C  #(P)  of  all  comonoids  and 
criples  which  map  to  x.  The  objects  in  Tp  l(x)  are  the  comonoids  of  type  x  and  the  triples  in  Tf\x)  are  of 
the  form  {u'}x{u},  pairs  of  comonoids  of  type  x  satisfying  u'  <  u.  Hence,  the  fiber  over  z  is  just  the  join 
semilattice  (actually,  distributive  lattice)  of  comonoids  Tp 1(x)  =  D(x). 

For  each  type  x  in  P,  the  lattice  of  comonoids  Q(x)  is  a  (one  object)  join  sub-bisemilattice  of  P,  and 
the  inclusion  functor  Q(x)  P  is  a  morphism  of  join  bisemilattices.  Tensor  product,  which  is  lattice  meet 
in  Q(x),  forms  a  local  conjunction  functor  O(x)  JSL  into  the  category  of  join  semilattices,  defined  by 


$s(z)  M  0 (x)  =  (0(a), 0,0)  and  ®,(u)  =  0(a)  0(a).  Conjunction  is  a  join  semilattice  functor.  This 

example  is  a  special  case  of  the  following  construct.  An  indexed  join  eemilattiee  (P,  □< ])  consists  of:  1.  a  join 


bisemilattice  P,  and  2.  a  join  semilattice  functor  P  Sii  JSL:  (a)  □*  is  a  join  semilattice  for  each  type  a;  (b) 
n»  5*  □*  is  a  morphism  of  join  semilattices  for  each  term  y  — r  2  called  the  direct  flow  specified  by  r,  with 
□'(0)  =  0  and  □'(?$  v')  =  □'(»)  0  □'(«/');  (c)  *  is  functorial,  with  □*  =  Ida»,  and  D4®'  =  G4  • 

(d)  □< )  is  a  join  semilattice  functor,  (i)  if  r  <  t  then  □'  <  G4,  (ii)  3°  —  — =  V 
Equivalently,  an  indexed  join  semilattice  is  a  join  bisemilattice  morphism  H  -*  P,  which,  as  a  functor,  is 
an  indexed  category  (an  opfibration).  A  direct  flow  category  (P,  □<  >)  is  an  indexed  join  semilattice,  (3) 
which  is  standard  on  subtypes:  (a)  □*  is  a  join  subsemilattice  of  comonoids  □*  C  Q(a)  =  (0(a),  0,0)  for 
each  type  x ;  (b)  G^ )  restricted  to  2 -comono ids  is  the  local  conjunction  functor  Inc*  •  1  =  ®*;  that  is, 

subtype  direct  flow  □*  SI  □*  is  just  conjunction  □*(u')  =  u'  ®  u  for  each  comonoid  u€G4.  Comonoids 
in  □*  and  conjunction  form  a  direct  flow  category  (O4,®*)  for  each  type  x.  A  morphism  of  direct  flow 
categoriet  (P,  Q^O)  (Q,  □«>())  is  a  morphism  of  join  bisemilattices  P  Q  which  preserves  flow 
H  •  □«>( )  =  ) .  So  inclusion  (a4,®,)  ^  (P,  G( ))  is  a  morphism  of  direct  flow  categories. 

A  join  bisemilattice  P  has  direct  Hoare  flow  when  for  any  term  y  ^  a  and  any  precondition  v€Q(y), 
there  is  a  postcondition  □,(v)€0(a)  called  the  strongest  postcondition  of  r  which  satisfies  the  axiom  □'(»)  1 
u  iff  v  ®  r  <  r  ®  u  iff  (t>:y  A  u:a)GAr(^(P))  or  □'(</)  =  A{«  €  0(a)  |  t>  ®  r  «  r  ®  u}  for  any  postcondition 
uGO(a).  Also,  □'(□4(w))  <  □4®,(w)  for  any  comonoid  weQ(z).  Some  identities  for  the  direct  flow 
operator  d )  are:  □'(«')  =  u'  ®  u  for  all  comonoids  uen(a);  G4®'(w)  =  G'(G4(w))  for  two  composable 
P-terms  z  A  y  and  y  a.  A  join  bisemilattice  P  has  ranges  when  for  any  P-term  y  a  there  is  a  range 
postcondition  3i(r)eO(a)  which  satisfies  the  axioms  c>i(r)  iuiffr^r®u  and  <?i(»  ®  r)  =  <9i(<?i(»)  ®  r) 
for  any  postcondition  uGfl(a)  and  composable  P-term  z-^y.  Some  identities  for  the  range  operator  <9i  are: 


“subtypes  are  their  own  range"  d\  (u)  =  u  for  any  comonoid  uGO(a);  “the  range  of  a  subterm  is  the  subterm 
of  the  range"  d\ (r  ®  u)  =  d\ (r)  ®  u  for  any  term  y  x  and  any  postcondition  u€fl(z);  and  “only  zero 
has  empty  range"  <?i(r)  =  0,  iff  r  =  0**  for  any  term  y  4  x.  If  P  has  direct  Hoare  flow  D(  5 ,  then  it  has 
ranges  dx  defined  to  be  the  direct  flow  of  the  top  (identity)  precondition  d\(r)  -  □'(y)  for  any  term  y  x. 
Conversely,  if  P  has  ranges,  then  it  has  direct  Hoare  flow  defined  to  be  the  range  of  the  tensor  product 
(guarded  term)  □'(«)  =  <9a(v  ®  r).  A  direct  Hoare  flow  category  is  a  join  bisemilattice  which  has  direct 
Hoare  flow,  or  equivalently,  ranges.  A  join  bisemilattice  P  is  a  direct  Hoare  flow  category  iff  the  associated 


functor  M(P)  P  is  an  indexed  join  semilattice  (H(P),TP,P).  In  fact,  any  direct  Hoare  flow  category  is 
a  direct  flow  category. 


Summary 

The  most  important  improvement  made  by  dialectical  logic  over  dynamic  logic  is  in  the  correct  and  rigorous 
treatment  of  subtypes.  It  is  a  serious  conceptual  error  [Kozen]  to  view  dynamic  logic  as  a  two-sorted  structure: 
one  sort  being  programs  and  the  other  sort  being  propositions.  The  central  viewpoint  of  dialectical  logic 
is  that  predicates  (here  called  subtypes,  or  more  precisely,  comonoids)  are  special  local  idempotent  kinds 
of  programs  (here  called  terms  or  processes),  which  by  their  idempotent  and  coreflexive  nature  form  the 
standard  logical  structure  of  Heyting  algebra  in  the  intuitionistic  case  or  Boolean  algebra  in  the  classical 
case.  The  two  dynamic  logic  operations  of  program  sequencing  and  predicate  conjunction  are  combined 
into  the  one  (horizontal)  dialectical  logic  operation  of  tensor  product  of  terms,  and  the  two  dynamic  logic 
operations  of  program  summing  and  predicate  disjunction  are  combined  into  the  one  (vertical)  dialectical 


logic  operation  of  boolean  earn.  Now,  tensor  product  and  boolean  sum  are  global  operations  on  terms.  In 
addition,  dialectical  logic  has  complement  operations  called  tensor  implications  and  tensor  neiatton  [Kentj, 
which  are  also  global.  In  contrast  to  these,  dialectical  program  semantics,  introduces  local  complement 

operations  called  boolean  implication  and  boolean  negation. 

Global  products  and  coproducts  of  precondition/postcondition  assertions  are  defined  in  terms  of  btprod- 
ucts  in  the  indexing  category  underlying  a  dialectical  flow  category.  Biproducts  model  the  semantic  notion 
of  “type  sum*.  Completely  general  axioms  for  domoins-of-definition  and  ranges,  and  their  negation  duals 
kernels  and  cokernils ,  can  be  given,  which  are  equivalent  to  predicate  transformer  axioms,  and  do  not  re¬ 
quire  the  notion  of  type  sum.  A  nice  program  semantics  has  already  been  given  [Manes]  which  is  based 
upon  the  notions  of  sums  and  bikernels,  but  one  of  the  purposes  of  this  paper  is  to  show  that  dialectical 
program  semantics,  the  standard  logical  semantics  of  “relational  structures*,  does  not  require  sums  and  only 
indirectly  requires  bikemels.  Iterates,  the  dialectical  logic  rendition  of  the  “consideration  modality*  of  linear 
logic  [Girard],  are  defined  as  freely  generated  monoids,  and  dialectical  categories  with  consideration  modality 
are  introduced  to  ensure  the  existence  of  iterates.  The  important  doctrine  of  linear  logic,  paraphrased  by 
the  statement  that  “the  familiar  connective  of  boolean  negation  factors  into  two  operations:  linear  nega¬ 
tion,  which  is  the  purely  negative  part  of  negation;  and  the  modality  of. course,  which  has  the  meaning 
of  reaffirmation*,  is  verified  in  dialectical  program  semantics,  since  the  local  operation  of  boolean  implica¬ 
tion  (boolean  negation)  of  subtypes  factors  into  the  global  operation  of  tensor  implication  (tensor  negation) 
followed  by  comonoidal  support,  the  dialectical  logic  rendition  of  the  “affirmation  modality*  of  linear  logic. 

Term  horn-set  completeness  defines  the  notion  of  topology  of  subtypes,  thereby  making  further  contact  with 
the  affirmation  modality.  In  such  complete  semantics,  topologized  matrices  of  terms  are  defined^  and  shown 
to  be  (categorically)  equivalent  to  single  terms  via  the  inverse  operations  of  “partitioning*  and  “summing*. 

With  the  introduction  of  type  sums  a  nontopological  matrix  theory  is  developed,  where  ordinary  matrices 
of  terms  are  defined  and  shown  to  be  (categorically)  equivalent  to  terms  with  biproducts. 

In  summary,  with  dialectical  program  semantics  we  hope  to  unify  small-scale  and  large-scale  program 
semantics  by  giving  a  concrete  foundation  for  the  observation  that  “precondition/postcondition  assertions 
are  similar  in  structure  to  relational  database  constraints*.  I  am  now  exploring  the  close  connection  between 
the  functional  aspect  of  dialectical  program  semantics  and  Martin-Lof  type  theory  given  via  locally  cartesian 
closed  categories  [Seeley].  Furthermore,  there  is  a  strong  connection  between  dialectical  program  semantics 
and  algebraic  and  temporal  logic  models  of  regulation  in  feedback  control  systems  [Wonham,. 
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